Loyola University Chicago School of Law, JD 2020
In the age of digitization, data seems less secure than ever. Public companies constantly attempt to safeguard both personal and financial data, yet their efforts fail due to new outbreaks of malicious encryption viruses and persistent email phishing attempts. Data breaches and cyber fraud carry severe financial implications for public companies who fall victim to these types of attacks. But a new Securities and Exchange Commission (SEC) report says that public companies that are easy targets of cyber scams could also be in violation of federal securities laws and accounting regulations that call for firms to safeguard their assets. Although the SEC has issued its warning to public companies about the compliance and financial risks posed by cyber fraud, many companies are still struggling to implement effective protections against newly-evolved forms of cyber-attacks.
SEC report is released against the larger backdrop of global cybersecurity concerns
The investigative report issued by the SEC named nine public companies as victims of complex phishing schemes that cost the companies a combined total of roughly $100 million. Under the guise of executive communications, each company wired the large sums of money to hackers who impersonated corporate executives or vendors using spoofed emails. This scheme has also been called “social engineering fraud” and according to the report: “[e]ach of the nine issuers lost at least $1 million; two lost more than $30 million. In total, the nine issuers lost nearly $100 million to the perpetrators, almost all of which was never recovered.”
To make matters worse, many of these schemes were virtually unidentifiable to the companies and were only brought to light when outside parties noticed irregularities in their dealings. “One of the companies reportedly made 14 wire payments requested by the fake executive… resulting in over $45 million in losses…before the fraud was uncovered by an alert from a foreign bank.” Another company paid eight invoices totaling $1.5 million before the fraud discovered by the real vendor, who complained about past-due invoices. The FBI estimates fraud involving business email compromises (BECs) has cost companies more than $5 billion since 2013.
Although the companies detailed in the SEC report suffered massive, unrecoverable losses, a recent study from The Center for Strategic and International Studies claims that $600 billion was lost globally as a result of cybercrime in 2017. This number is roughly 1% of the global GDP and has only increased since the last report in 2014, which cited a global loss of $445 billion. The study credits the three-year increase to cybercriminals quickly evolving new technologies and leveraging black markets and digital currencies against companies.
In early 2017, a ransomware named NotPetya became one of the most prevalent forms of malware utilized in cyber-attacks. This ransomware infects and encrypts a company’s files, effectively holding them hostage until the company surrenders a bitcoin payment to hackers. However, by the middle of the year, hackers had developed newer and more effective methods, and by the end of 2017, this type of ransomware represented only 10% of attacks. The ever-evolving nature of malware means that companies have an especially difficult task in defending against new types of attacks.
Examining cyber fraud and attacks as non-compliance
SEC Investigators concluded that the scams succeeded in part due to unfamiliarity with the company’s cyber controls and failure to notice security alerts, but not all companies that fall for cyber scams are guilty of having lax safeguards. Charles Elson, director of the Weinberg Center for Corporate Governance at the University of Delaware, noted that companies have long struggled with cybersecurity, but the report made it clear that “internal accounting controls may need to be reassessed in light of emerging risk.”
Public issuers are subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (“Act”). They must “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” Via this regulation, businesses are tasked with implementing, monitoring and updating their accounting and data protocols to comply with Section 13(b)(2)(B) and investors rely upon their compliance with this regulation. Cybersecurity has become a priority for investors and companies because it serves as both potential business and operational risks. Failure to maintain these protocols is much costlier than just the money lost to hackers. Non-compliance with the Act can result in civil or administrative action, like audits and injunctive measures, as well as monetary penalties.
Stephanie Avakian, the Co-Director of the SEC Enforcement Division, said: “In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.” Given that October is Cyber-Security Awareness Month, it seems appropriate that public companies should spend some time this month reassessing their data protection protocols in light of the SEC’s report.