The Securities and Exchange Commission (SEC) is imploring public companies to consider cyber threats when implementing internal accounting controls.
SEC officials recently released details of an investigative report based on the SEC Enforcement Division’s probe of nine public companies that fell victim to cyber fraud and lost millions of dollars in the process.
“Cyber frauds are a pervasive, significant and growing threat to all companies, including our public companies,” SEC Chairman Jay Clayton said. “Investors rely on our public issuers to put in place, monitor and update internal accounting controls that appropriately address these threats.”
SEC officials said the investigative work focused on business email compromises (BECs), where perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators.
The frauds lasted months in some instances and often were detected only after intervention by law enforcement or other third parties.
Authorities said each of the companies lost at least $1 million, two lost more than $30 million and one lost more than $45 million. In total, the nine companies wired nearly $100 million as a result of the frauds, with most of it unrecoverable.
“In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” Stephanie Avakian, co-director of the SEC Enforcement Division, said.