A recent Securities and Exchange Commission (SEC) investigation1 of nine publicly traded companies revealed their susceptibility to cyber-related frauds that were not technologically sophisticated, but merely used technology to identify weaknesses in policies and procedures and exploit human weaknesses to penetrate the control environment. The nine companies lost nearly $100 million in total and almost none of that money was ever recovered.
“Spoofing” Exploited Their Vulnerabilities
The companies that were investigated encompassed numerous industries including technology, machinery, real estate, energy, financial services, and consumer goods. In each instance, the companies fell victim to two forms of spoofing where the perpetrators sent communications from an unknown source disguised as a source known to the receiver.
In its investigation, the SEC considered whether the issuers complied with SEC provisions2, which stated that the publicly traded companies maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
While the cyber-related threats posed to companies’ assets are relatively new, the SEC expects and encourages organizations to review and update their internal accounting controls to address these growing threats. The SEC determined not to pursue an enforcement action based on the conduct and activities of the nine public issuers.
Lessons Learned – Tighten Your Controls, Enhance Employee Training
The SEC did, however, deem it in the public interest to publish a report of the investigation to make publicly traded companies and other market participants aware of the growing cyber-related threats of spoofed and manipulated electronic communications. The victimized companies took this experience as a lesson to revisit and tighten their controls and institute employee training to reduce their vulnerability to similar frauds.
Here are a few important cyber security safeguards that are applicable across all industries:
If you have questions about revising your internal accounting controls and enhancing your employee education and improving your cyber defense to defend against cyber-fraud, contact Mitchell Marcus, CPA and Principal at 212.331.7460 | firstname.lastname@example.org or Alexander Moshinsky, CPA, Director, Operational Advisory and Risk Management at 212.331.7488 | email@example.com.
Berdon LLP New York Accountants
1 Securities Exchange Act of 1934 Release No. 84429/October 16, 2018
2 Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934