November 26, 2022

Volume XII, Number 330


November 23, 2022

Subscribe to Latest Legal News and Analysis

SEC Expands Emphasis on Cybersecurity with Cyber Fraud Report


The SEC has released a new report on cyber fraud, suggesting that public companies that fail to implement appropriate preventative measures risk violating the internal accounting control provisions of the Exchange Act. Companies should review their fraud prevention procedures accordingly and consider whether to conduct a comprehensive cybersecurity assessment under attorney-client privilege.

In Depth

The Enforcement Division of the Securities and Exchange Commission (SEC) recently warned public companies that inadequate cybersecurity fraud prevention may violate the internal accounting control provisions of the Exchange Act. Following Commission guidance issued earlier this year, the most recent report reflects the agency’s continued emphasis on cybersecurity. Given this more expansive view of cybersecurity practices, public companies should ensure that internal accounting controls adequately address cybersecurity risk.

The Report

The SEC’s investigative report describes two types of cybersecurity scams that victimized nine public companies, which collectively lost nearly $100 million.

In the first scam, the perpetrators used fake email accounts to request wire transfers from fake email accounts purportedly held by company executives. The emails, sent primarily to midlevel personnel, emphasized the time-sensitive nature of the request and the secretive nature of the transactions. These scams were relatively unsophisticated, and included spelling and grammatical errors. The email nevertheless fooled employees and caused losses.

The second type of scam was more refined. In this scam, fraudsters posed as bona fide foreign vendors demanding payment. Originating from compromised vendor email addresses, the messages attached doctored invoices that contained accurate purchase order and account balance information. The attackers often were able to repeat the scams against the same victims by exploiting the vendors’ delayed action on delinquent payments.

The SEC declined to take action against the companies in the nine instances mentioned in the report. However, the Division emphasized that the failure to prevent such frauds could run afoul of Sections 13(b)(2)(B)(i) and (iii) of the Exchanges Act. Those provisions require public companies to devise and maintain internal accounting controls sufficient to provide reasonable assurance that transactions are executed with, or that access to company assets is permitted only with, management’s authorization.

Previous Cybersecurity Efforts

The report reinforces the SEC’s increased emphasis on cybersecurity. The Commission recently formed a Cyber Unit within the Enforcement Division focused on these issues. In February 2018, the SEC issued guidance on cybersecurity disclosures for public companies focused on SEC reporting requirements and disclosure controls. (Our detailed analysis of the February guidance is available here.) Not long after the guidance, the SEC announced a settled action against Altaba (formerly Yahoo!) over the failure to disclose a large data breach to investors. As part of the settlement, Altaba agreed to pay a substantial $35 million penalty.

Avoiding Enforcement

The SEC Enforcement Division has a history of using “21A” reports like the one recently issued as warnings to public companies in advance of actual enforcement actions. As the report emphasizes, “issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks.” That said, two specific compliance takeaways emerge from the report:

  • Transaction Authorization Procedures. The report highlights the importance of internal procedures for authorizing and approving wire transfers. Companies should consider multiple-authorization requirements, as well as creating or bolstering verification procedures for vendor information changes.

  • Personnel Training. Companies also should train personnel on internal procedures, emphasizing the response to red flags. Companies that already implemented phishing training may be able to adapt this training for cyber fraud, and could test the effectiveness of the training through mock emails or “phish tests.” This training should extend beyond easy-to-spot requests for wire transfers and include suspicious information requests and other suspicious behavior. The SEC noted that scammers often corresponded with unwitting company personnel to collect facts about the vendor relationship in order to change banking information and generate fake invoices. Effective data handling procedures and training could prevent such information leakage and reduce the probability of successful cyberattacks.

Companies that update procedures and adequately train employees will have taken important steps to minimize SEC enforcement risk.

Of course, investing in reasonable cybersecurity controls and risk management also protects public companies from misappropriation and other harm. For example, public companies can protect themselves from losses in the second type of scam—where fraudsters leverage compromised vendor email addresses to request payment—by contractually requiring vendors to indemnify them for losses resulting from compromises of vendor systems and by requiring vendors to provide prompt notification of system compromises. Public companies also should consider whether their cybersecurity risk management program is sufficiently robust to cover the range of relevant risks and vulnerabilities and whether aspects of the program, such as periodic cybersecurity assessments, need to be conducted under privilege.

Global Trends

The SEC’s increased focus on cybersecurity coincides with a global trend toward increased regulatory attention. As cyber-related incidents and scandals continue to dominate the headlines, domestic and international regulators rush to keep pace and demonstrate vigilance. To survive in this regulatory environment, it is essential that companies design and implement a robust cybersecurity strategy.

The authors would like to thank Irene Le, McDermott law clerk, for contributing to this article.

© 2022 McDermott Will & EmeryNational Law Review, Volume VIII, Number 298

About this Author

Thomas P. Conaghan, Mcdermott Will Emery law Firm,  (M&A), joint ventures, strategic investments, spin-offs,

Thomas P. Conaghan is a partner in the law firm of McDermott Will & Emery and is based in the Firm’s Washington, D.C., office.  Tom represents both publicly held and closely held businesses, underwriters and other sources of capital, corporate boards and board committees and corporate executives.  He advises both U.S. and foreign-based public companies on issues relating to public and private offerings of securities, disclosure, periodic reporting, corporate governance, executive compensation, the rules of the New York Stock Exchange and the Nasdaq Stock Market and compliance with the...

Michael G. Morgan Prvacy Attorney McDermott Will & Emery Law Firm

Michael G. Morgan represents clients in class actions, litigation and other matters involving cybersecurity, privacy, and protection of consumer and business data. He is co-leader of the Firm’s Privacy and Data Protection practice.

With more than 20 years’ experience in data security and privacy matters, Michael advises clients on cyber incident preparation, prevention and response; compliance with US and EU laws and regulations; completion of enterprise-wide cybersecurity assessments; and data security policies and best practices. He has...

310 551 9366
Paul Helms Government Investigations Lawyer McDermott

Paul Helms defends clients in government investigations, principally investigations by the US Securities and Exchange Commission (SEC), and conducts internal investigations involving securities, accounting and other financial concerns. Through his work at the SEC and in private practice, Paul handled more than 40 investigations across multiple subject areas, including financial and accounting fraud, offering fraud, market manipulation, insider trading, Foreign Corrupt Practices Act (FCPA) violations and regulatory compliance. Paul has substantial experience in matters...

Eric Orsic, corporate, securities, attorney, McDermott Will, law firm

Eric Orsic is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office. Eric focuses his practice in the areas of mergers and acquisitions, and securities transactions and compliance.   Eric works with both public and privately-held companies to structure and negotiate business acquisitions/dispositions.  His public company transactional experience includes public equity and debt offerings, tender offers and going-private transactions.  Eric also serves as outside securities counsel to several public companies and advises on SEC compliance...