Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements

Citation
Securities and Exchange Commission, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements (Oct. 18, 2018).

Overview
The U.S. Securities and Exchange Commission's ("Commission") Division of Enforcement ("Division"), in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, investigated whether certain public issuers that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.

The issuers &mdash; a group that spans numerous industries &mdash; each lost millions of dollars as a result of cyber-related frauds. In those frauds, company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, causing the personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme. Spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem, exposing individuals and companies, including public companies, particularly those that engage in transactions with foreign customers or suppliers, to significant risks and financial losses.

The Federal Bureau of Investigation recently estimated that these so-called "business email compromises" had caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 &mdash; the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

In connection with the investigation, the Commission considered whether the issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (“Exchange Act”).2 Those provisions require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.3 As the Senate emphasized over four decades ago when passing these provisions, “[a] fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurances that the business is adequately controlled.”4 While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not. The Commission has determined not to pursue an enforcement action in these matters based on the conduct and activities of these public issuers that are known to the Commission at this time. The Commission, however, deems it appropriate and in the public interest to issue this Report of Investigation (“Report”) pursuant to Section 21(a) of the Exchange Act to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.