(Editor’s note: The author is a former chief accountant of the Securities and Exchange Commission’s Division of Enforcement.)
Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls.
A turning point came in mid-October, when the SEC issued a report on an investigation relating to nine public companies that collectively lost nearly $100 million in cyber-fraud incidents.
In each case, company personnel received spoofed or compromised electronic communications from external sources, causing disbursements to be made to cyber-fraudsters.
One company made 14 wire payments over the course of several weeks after finance personnel received fake emails appearing to be from executives. Another company paid eight invoices over several months after receiving manipulated banking information for a vendor.
The damage was significant: two of the companies lost more than $30 million and each lost at least $1 million.
Ultimately, the report concluded the SEC would not pursue enforcement actions in these instances and would not in the future find every company victimized by a cyber-scam to be in violation.
But the commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly.
New Category of Internal Controls Violation
The SEC’s report signals a new avenue for future internal controls-related enforcement that accounting, legal, and compliance personnel will need to evaluate.
Historically, the SEC has invoked Section 13(b)(2)(B) when a public company has: (1) materially misstated its financial statements; (2) paid bribes to foreign government officials; (3) paid commercial bribes; or (4) reimbursed employees for unauthorized expenses.
The vast majority of 13(b)(2)(B) prosecutions have involved public companies that engaged in accounting fraud where internal controls charges were levied as lesser included offenses; or engaged in non-fraud accounting actions where the SEC deemed there to be aggravating factors warranting prosecution. From 2013 through 2017, cases involving companies materially misstating their financial statements have averaged 103 actions per year, or about 13% of all SEC enforcement actions.
Foreign Corrupt Practices Act enforcement actions in which companies were charged for having insufficient controls for detecting illegal bribes to foreign government officials have averaged 12 cases per year over the same period, or about 1.5% of total actions.
By comparison, enforcement actions involving commercial bribes to private entities have been rare. Also, cases involving unauthorized and sometimes lavish personal expenses (or undisclosed perquisites), while increasing in number, are still filed infrequently.
Now, the SEC’s report has opened the door for 13(b)(2)(B) charges in a fifth circumstance: when a public company is victimized by a cyber incident and has unwittingly disbursed funds to cyber-fraudsters.
The SEC’s report cited Section 13(b)(2)(B)(i) and (iii) as the subsections relevant in a cyber-fraud scenario. These subsections require the execution of transactions and access to company assets to be permitted only with management’s general or specific authorization.
These are the same subsections invoked in bribery and expense reimbursement prosecutions, where — aside from qualitative disclosure or contingent liability considerations — the amounts disbursed are typically immaterial for financial statement presentation purposes.
This is in contrast to accounting prosecutions, which generally involve material financial statement misstatements and invoke subsection 13(b)(2)(B)(ii)(I), requiring transactions to be recorded as necessary to permit preparation of financial statements in conformity with GAAP.
Qualitative Differences from Prior 13(b)(2)(B) Actions
Several key differences between prior 13(b)(2)(B) prosecutions and potential actions involving cyber scams could serve to limit the number of enforcement actions the SEC pursues in this area.
First, as the SEC has acknowledged, a company charged in connection with a cyber-scam incident is the victim of fraudulent activity. This is in sharp contrast to both accounting fraud and bribery cases in which the company may “benefit” — at least until caught — from the improper conduct.
In accounting fraud cases, company personnel demonstrate their fraudulent intent by falsifying records and circumventing controls. Even in non-fraud accounting actions, there is often evidence of bad faith justifying the prosecution.
Similarly, in bribery schemes, the perpetrators are employees or agents of the company attempting to secure an unfair advantage over competitors and perhaps benefit themselves. And in unauthorized expense actions, a company employee is still responsible for the improper conduct even though the company could be viewed as the victim.
In a cyber-fraud scenario, in contrast, the main perpetrator is an outside third-party attempting to misappropriate funds from the company. Any disbursement would arise primarily because a company employee, without any improper motive, was duped or manipulated into unwittingly assisting the outside third-party fraudster.
And, while adequate staffing, training, and supervision are necessary, a prosecution involving a cyber scam would be predicated largely on honest mistakes, not illegal conduct. Even the SEC’s report acknowledged that for spoofed vendor emails, fewer red flags and indicia of illegitimacy were present.
The SEC report stated because the cyber-frauds “were not sophisticated in design or use of technology,” human vulnerabilities rendered the control environment ineffective.
Notably, the SEC also said, “Having accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”
Section 13(b)(2)(B), however, only requires “reasonable assurance,” not “absolute assurance,” concerning the effectiveness of controls.
According to the COSO framework, a well-recognized guide for evaluating internal controls, reasonable controls cannot prevent or detect all errors, and an effective system can experience a failure due to inherent limitations, such as lapses in human judgment or external factors beyond a company’s control.
The SEC’s statements, however, may signal a broader interpretation of what constitutes “reasonable assurance” in the cyber context. While the SEC could face difficulties in court or in persuading companies to settle, it is unclear what would prevent the SEC from stretching the limits of the reasonable assurance standard in prosecuting accounting, bribery, and unauthorized-expense matters.
The SEC, therefore, might consider limiting enforcement actions to only the most serious situations — for example, when a company failed to remediate known deficiencies but continued to make illegitimate disbursements — or when disbursements were made after an employee openly and repeatedly flouted company policies, with supervisors taking no actions to safeguard assets.
What Should Companies Do
As the report warns, companies should be proactive and take steps to consider cyber scams. Specific measures should include:
- Identify enterprise-wide cybersecurity policies and how they intersect with federal securities laws compliance
- Update risk assessments for cyber-breach scenarios
- Identify key controls designed to prevent illegitimate disbursements, or accounting errors from cyber frauds, and understand how they could be circumvented or overridden. Attention should be given to controls for payment requests, payment authorizations, and disbursements approvals — especially those for purported “time-sensitive” and foreign transactions — and to controls involving changes to vendor disbursement data.
- Evaluate the design and test the operating effectiveness of these key controls
- Implement necessary control enhancements, including training of personnel
- Monitor activities, potentially with data analytic tools, for potential illegitimate disbursements
While it’s not addressed in the report, companies could be at risk for disclosure failures after a cyber incident, and CEOs and CFOs are in the SEC’s cross-hairs due to representations in Section 302 Certifications. Therefore, companies should also consider disclosure controls for cyber-breaches.
While taking these actions may not inoculate companies and officers from becoming the subject of a costly SEC investigation, documenting these activities should increase the odds of thwarting an incident, protecting company assets, and mitigating regulatory outcomes.
Howard Scheck is a partner at StoneTurn, a global advisory firm that assists companies, their counsel and government agencies on regulatory, risk and compliance issues, investigations, and business disputes.