In an October 16, 2018 investigation report, the Securities and Exchange Commission found that nine companies that suffered Business Email Compromise, or BEC, had insufficient internal controls to prevent such attacks. Although the Commission did not charge any of the companies profiled in the report, the report is the latest evidence of the SEC's attempt to step up enforcement and oversight of public companies' cybersecurity controls and governance processes.

During 2018, there has been a steady drumbeat of warnings from the cybersecurity firms and government agencies regarding the prevalence and success of cyber scammers targeting businesses through wire fraud schemes. The activity that is the subject of the SEC's report, called "Business Email Compromise," or BEC, usually involves a hacker impersonating either a high-level executive or a vendor, and then requesting a wire payment be directed—or redirected—to a different bank account. Those bank accounts, often based in Hong Kong or China, are then used to redirect the money to other bank accounts and are quickly emptied, making recovering the money nearly impossible. The sophistication of the hack can vary from simplistic attempts to highly sophisticated hacks that can be developed for months and involve compromises of email accounts of multiple companies. Often, employees are targeted or impersonated based on their social media profiles.

In June, the Department of Justice announced the arrest of 74 individuals involved in BEC scams, the majority of which were based in Nigeria and the United States. The U.S. government estimates more than $12.5 billion has been stolen through these hacks.

The SEC report comes almost a year since the Commission established its Cyber Unit in the Enforcement Division. While the Commission made clear that it was "not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of … the federal securities laws," it noted that failure to reassess internal accounting controls in light of emerging risks could violate of the internal accounting controls requirements of the federal securities laws, specifically Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934.

In the report, the Commission noted that each of the nine issuers lost at least $1 million from the BEC scams; two lost more than $30 million. In many cases, the companies discovered the hacks only after being contacted by foreign banks that detected the scams or by a vendor who complained of past-due invoices. The Commission found that, in many cases, lack of employee training, and the failure of employees to follow procedures, contributed to the success of these attacks.

Although the SEC did not charge any companies in its investigation, the report serves as a warning to companies that failure to take action to prevent these types of hacks may result in charges being brought by the SEC going forward. Companies should review both their internal training as well as their technical safeguards to prevent these types of hacks, including:

• Ensuring employees involved in managing wire transfers receive training on these types of scams, including training on how to identify phishing attempts, and on strong password hygiene;
• Requiring multiple sources of authentication before initiating new wire transfers or changing the bank account information for existing wire transfer recipients;
• Ensuring that protocols for wire transfers are documented and followed;
• Reviewing the company's password and multifactor authentication (MFA) policies for all employees' emails and accounts who are involved in financial transactions to reduce the possibility of email compromise; and,
• Reviewing email administration protocols to detect unusual activity or logins from unexpected sources as well as detect the creation of forwarding or deletion rules, which are commonly used by hackers to prevent detection of their activities.

Implementing these sorts of controls and procedures will both help prevent attacks and assure that the SEC's internal controls guidance is satisfied.