The Securities and Exchange Commission (SEC) has issued an investigative report cautioning that public companies should consider cyber threats when implementing internal accounting controls.

Losing millions

The report is based on the SEC Enforcement Division's investigations of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process. The SEC's investigations focused on ‘business email compromises’ (BECs) in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties. Each of the companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. In total, the nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable. No charges were brought against the companies or their personnel.

Wide-ranging

The companies, which each had securities listed on a national stock exchange, covered a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods. Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. The FBI estimates fraud involving BECs has cost companies more than $5 billion since 2013. ‘Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies, said SEC Chairman Jay Clayton, adding ‘investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.’ The issuance of the SEC's report coincides with National Cybersecurity Awareness Month. The report can be found here.