The SEC recently reminded public companies that they have an affirmative obligation to prevent cyber-theft and that failing to do so could mean that their internal controls are ineffective, a violation of the Securities Exchange Act of 1934.
In an October 16, 2018 investigative report describing recent cyber-related frauds against nine public companies, the SEC noted that public companies must maintain a system of internal accounting controls sufficient to provide reasonable assurance that “access to assets is permitted only in accordance with management’s general or specific authorization.” In each of the nine cases, the public companies were tricked into wiring funds to a bank account controlled by the perpetrator.
The tricks generally fell into two categories. In the first, the perpetrator sent e-mails, purportedly from the public company’s CEO or another senior executive, urgently directing company personnel to wire funds to an account for a pending transaction. In the second, the perpetrator used a hacked account of one of the company’s vendors to direct company personnel to change the vendor’s payment information, thereby causing the company to wire funds to the perpetrator’s account instead of the vendor’s account.
Although the SEC declined to pursue enforcement actions against any of the nine victims, it used the investigative report to remind public companies that their systems of internal controls must be designed and operated to prevent these and other kinds of cyber-theft. Most of the victims had procedures designed to prevent improper wire transfers or to update vendor payment information, but company personnel were either unaware of those procedures or ignored them. For instance, some companies ignored requirements to obtain authorization from a second officer. In other cases, employees ignored obvious red flags, such as highly unusual directions.
As the report states, public companies “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” As the annual evaluation of the effectiveness of internal controls approaches, management and audit committee members should be prepared to respond to questions from their independent auditors, who may perform additional audit procedures related to compliance with payment authorization controls. Companies should consider reviewing and updating their controls to address cyber-related risks and retraining relevant personnel to comply with those controls on a consistent basis.