The threat of cyberscams in the form of what has been called “social engineering fraud” or “payment instruction fraud” has become pervasive. In these swindles, imposters posing as senior corporate executives or company vendors direct company personnel to transfer funds to accounts that the imposters control. Losses from these frauds can be substantial, and, as I have noted on prior posts on this site, the insurance coverage questions these losses present can be challenging. Earlier this week, the SEC released an investigative report taking a look at what the agency called “business email compromises” at nine different public companies. The report underscores the need for companies to take cyber threats into account when implementing internal accounting controls. The report has some interesting insurance underwriting implications as well. The SEC’s October 16, 2018 press release about the report can be found here.
The agency prepared the report as part of its investigation of whether the nine unnamed companies that experienced the cyberscams “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Specifically, the agency considered whether the companies complied with the requirement under the securities laws to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with management’s general or specific authorization.”
The nine companies the agency investigated are in a variety of different industries. All of the nine publicly traded companies involved lost at least $1 million in the scams; two lost more than $30 million. In total, the nine issuers lost nearly $100 million, almost of which was never recovered. Some of the scams involved multiple transfers over extended time periods. One company made 14 wire payments over the course of several weeks, resulting in over $45 million in losses.
The losses took two different forms, one involving emails from imposters purporting to be senior company executives and one involving emails impersonating the companies’ vendors. The scams involving emails from fake executives had certain features in common: the emails involved time-sensitive foreign transactions that needed to be completed in days, and emphasized the need for secrecy; the emails requested funds to foreign banks and beneficiaries; and the emails were directed to mid-level personnel not typically responsible for the type of transaction involved. The emails from fake vendors typically involved a “more technically sophisticated” scheme, because it involved intrusion into the (typically foreign) vendors’ email accounts to create legitimate-appearing phony invoices.
The agency noted that the companies involved remained largely unaware of the schemes until they were uncovered by third parties, including detection by a foreign bank or law enforcement agency.
The SEC noted that the schemes were often successful largely because employees either did not understand or did not follow the issuers’ internal control procedures.
The agency concluded as a result of its investigation not to pursue enforcement action against any of the companies involved, but determined to issue its report in order to inform issuers that the cyber-related threats exist and should be considered when devising and maintaining a system of internal accounting controls as required.
In thinking about the kinds of things that companies should do in order to strengthen their controls to protect against these kinds of losses, the agency noted that following the discovery of their losses, all of the companies involved sought to enhance their payment authorization procedures and verification requirements for vendor information changes. The companies also took steps to bolster their account verification procedures and outgoing payment notification process to aid detection of fraudulent payments.
Finally, because the frauds succeeded, at least in part “because the responsible personnel did not sufficiently understand the company’s existing controls” or recognize indications that should have alerted the personnel of the email’s lack of reliability, all of the companies involved enhanced their training of responsible personnel about relevant threats as well as pertinent policies and procedures.
The SEC noted that email scams like the ones investigated here have caused business losses of over $5 billion since 2013, which according to the Federal Bureau of Investigation (“FBI”) is greater than losses caused by any other type of cyber-related crime. In other words, these kinds of scams represent a very substantial threat to companies – and not just publicly traded companies like the one’s involved in the SEC investigation. The SEC’s report makes it clear that all companies would be well-advised to re-assess both the sufficiency of their internal accounting controls relating to foreign transactions and the adequacy of their employee training.
In thinking the steps companies can take in light of this threat that the companies face, it is interesting to consider the actions the companies involved here took once they discovered that they had been scammed. The companies tightened up their payment authorization protocols, account reconciliation procedures, and employee training. These are steps all companies can take. The SEC’s report is in effect a cautionary warning that these are steps companies should take. It is worth noting, as the agency emphasized, that “systems of internal accounting controls, by their nature, depend on the personnel that implement, maintain, and follow them.” For that reason, personnel training is the indispensable element of an effective system of internal controls.
The control elements the companies adopted after the discovered the scams not only suggest the important ways that companies can protect themselves, but they also may suggest areas of inquiry that could be of interest to insurance underwriters. Given the SEC’s report, insurance underwriters clearly have an interest in obtaining information about the controls companies have in place to address cyber threats. The report also suggests that the specific areas for inquiry relate to their applicants’ payment authorization protocols, account reconciliation procedures, and personnel training.
Ultimately, the most important defense against these kinds of scams is awareness – awareness that the threat exists and awareness of the need for vigilance. That is clearly the message of the SEC’s interesting report.