Key Takeaways from SEC Report on Cyber-Related Frauds and Internal Accounting Controls

In today's rapidly evolving digital landscape, the threat of cyber-related fraud has become an ever-present concern for public companies. The SEC's 2018 report sheds light on this issue, focusing on the risks posed by cyber-related frauds that exploit vulnerabilities in internal controls. The report serves as both a cautionary tale and a guide for companies looking to strengthen their defenses against these sophisticated attacks.

The Growing Threat of Cyber-Related Frauds

The SEC’s 2018 report highlights the increasing prevalence of cyber-related frauds targeting public companies. These schemes often involve relatively simple technological tactics, such as spoofed emails or compromised vendor accounts, but they capitalize on human vulnerabilities and weaknesses in internal controls. One particularly alarming case involved a company losing over $45 million through 14 unauthorized wire transfers initiated by a fraudster impersonating a high-ranking executive.

This type of fraud—often referred to as "business email compromise" (BEC)—is a stark reminder that even the most technologically advanced systems can be undone by a lack of robust internal controls. The financial losses in these cases were substantial, underscoring the need for companies to be vigilant in protecting their assets.

Legal Implications: A Focus on Internal Controls

At the heart of the SEC’s analysis is the question of whether the companies that fell victim to these frauds violated federal securities laws by failing to maintain adequate internal accounting controls. Specifically, the report examines compliance with Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. These provisions require public companies to devise and maintain systems of internal accounting controls that ensure transactions are properly authorized and that access to company assets is controlled.

The SEC ultimately decided not to pursue enforcement action against the companies involved. However, the report was issued as a warning: the need for effective internal controls is not new, but the nature of the threats companies face has evolved. The expectation is clear—public companies must adapt their internal controls to address the risks posed by cyber-related fraud.

Key Takeaways for Legal and Compliance Professionals

For legal and compliance professionals, the SEC’s report is a crucial reminder that cybersecurity and internal controls are inextricably linked. The evolving nature of cyber threats requires a proactive approach to internal controls that goes beyond traditional compliance checklists.

Here are some key actions that legal and compliance teams should consider in light of the SEC’s findings:

1. Integrate Cybersecurity into Risk Management: Cybersecurity should be a core component of your company's risk management strategy. This includes regularly reviewing and updating internal controls to address new and emerging cyber threats.

2. Enhance Training and Awareness: Given that many cyber-related frauds exploit human vulnerabilities, ongoing training for employees at all levels is essential. Employees should be educated on how to recognize and respond to phishing attempts, spoofed emails, and other common tactics used in BEC schemes.

3. Implement Robust Authentication Processes: Strengthening authentication processes for financial transactions can help prevent unauthorized wire transfers and other forms of cyber-related fraud. Multi-factor authentication (MFA) and out-of-band verification are examples of controls that can add an extra layer of security.

4. Conduct Regular Audits and Assessments: Regularly auditing your company's internal controls can help identify potential weaknesses before they are exploited. This includes assessing both the technical and human elements of your control environment.

Conclusion: Staying Ahead of the Curve

The SEC's 2018 report is more than just a historical account of cyber-related frauds; it is a call to action for public companies and their legal and compliance teams. As cyber threats continue to evolve, so too must the internal controls that protect company and investor assets. By integrating cybersecurity into the broader framework of internal controls and compliance, companies can better safeguard against the financial and reputational damage that can result from cyber-related fraud.

In an era where cyber threats are constantly changing, staying ahead of the curve is not just a best practice—it’s a necessity. Legal and compliance professionals play a crucial role in ensuring that their organizations are not only compliant with federal securities laws but are also resilient in the face of ever-evolving cyber risks.

* * *

Attorney Advertising—Anderson P.C. is a U.S. law firm located at 1717 K Street NW, Suite 900, Washington, D.C. 20006.

Anderson P.C. provides this information as a service to clients, prospective clients, and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. If you have any questions, please contact Braeden Anderson.