Public companies must update controls against cyberfraud, SEC report says

Public companies not doing enough to prevent cyber-related fraud activity are also at risk of being investigated by the Securities and Exchange Commission, the agency warned in an investigative report issued Tuesday.

"While the cyber-related threats posed to issuers' assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not," the report said.

The report is based on the SEC enforcement division's investigations of nine public companies that lost nearly $100 million to cyberfraud practices called "business email compromises," where perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums.

The companies, each of which had securities listed on a national stock exchange, covered numerous sectors including technology, machinery, real estate, energy, financial and consumer goods. Each company lost at least $1 million, two lost more than $30 million, and one lost more than $45 million to the fraudulent practices, which in some instances lasted months and were detected only after intervention by law enforcement or other third parties.

No charges were brought against the companies or their personnel, but enforcement division co-director Stephanie Avakian said the report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls. Section 13(b)(2)(B) of the Securities Exchange Act of 1934 requires those controls to be calibrated to the current risk environment.

"Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats," SEC Chairman Jay Clayton said in a statement.

According to the report, spoofed or manipulated electronic communications are an increasingly pervasive problem, particularly for companies that engage in transactions with foreign customers or suppliers. The FBI estimated that "business email compromises" have caused more than $5 billion in losses since 2013, and a record $675 million in cyber-facilitated crime losses in 2017.