January 20, 2020

January 17, 2020

Subscribe to Latest Legal News and Analysis

SEC’s latest Cyber-Fraud ROI Indicates Future Enforcement Against Hacker Victims . . . Fool Me Twice

In the aftermath of the Securities and Exchange Commission’s (“SEC”) latest Report of Investigation (“Report”) regarding cyberattacks via “spoofed or manipulated electronic communications,” companies should prepare to adjust and update their internal controls or face possible enforcement actions for violation of federal securities law.  Released as a warning to public companies about recent cyberattacks, the Report’s emphasis that companies maintain proper internal controls to combat cybersecurity issues indicates SEC enforcement actions for lack of proper cybersecurity procedures and supervision are on the horizon.    

The Report, released on October 16, revealed the SEC’s investigation into nine public companies that fell victim to cyber-related frauds, leading to a combined loss of over $100 million.  The frauds entailed employees wiring large sums or paying invoices to fake accounts after receiving “spoofed” or “compromised electronic communications” purporting to be from company executives, lawyers, or vendors.  The fake emails from executives employed unsophisticated technology requiring only the creation of email addresses that mimicked the look and design of an executive’s actual email address.  These emails all had common themes, which included: poor grammar, secrecy, time urgent transactions, suggestion of government oversight, and a need to transact business in foreign countries.  The fake vendor emails were more insidious and involved the hacking of email accounts of legitimate foreign vendors working with the companies.  These emails contained fewer hints of illegitimacy or red flags, and thus, many of the victimized companies only learned of the fraud after actual vendors raised concerns about outstanding invoices.  The SEC did not name the companies involved, but did note that the cyber-related frauds affected companies from various industries—demonstrating that all companies are potentially at risk.

The SEC’s investigation assessed whether these companies had sufficient controls to guard against the cyberattacks and thus “provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization” pursuant to the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (the “1934 Act”).  Notably, the SEC did not pursue enforcement actions against any of the nine companies.

Instead, the SEC issued the Report to highlight the 1934 Act’s requirement that companies must implement sufficient internal procedures and controls to prevent unauthorized access to company assets – which means companies must have adequate controls to identify and prevent cyberattacks such as the ones identified in the Report.  The Report acknowledged that cyber-related threats are a new facet of today’s world, but noted the expectations that companies maintain proper internal controls that adjust to changing circumstances are not.  The Report also underscored the importance of creating specially designed controls that targeted cyber-related fraud, including providing critical trainings to employees to help them recognize signs of cyber-fraud, and ensure employees follow proper protocols for payment authorization.

The Report is a clear warning that cybersecurity issues are front and center at the SEC and that companies must implement proper controls to prevent cyber-related fraud.  As cybersecurity remains a focus for the SEC, companies should work with their attorneys and IT and compliance personnel to establish procedures to combat ever-changing cyber threats.  Companies unwilling to do this risk not only potential hacks and frauds, but also enforcement liability under the securities laws.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Bill Mateja Lawyer Sheppard Mullin Law Firm

Bill Mateja is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Dallas office. He specializes in White Collar Defense and Corporate Investigations.

Areas of Practice

Unlike many attorneys, Bill does not expect repeat business. Clients he works with are usually facing the kinds of high-stakes, high-stress problems that are not likely to recur — a financial services company under SEC investigation, a hospital accused of Medicare fraud, or a C-suite executive charged with fraud or...

Sarah Aberg Government Contracts Attorney Sheppard Mullin Law Firm New York

Sarah Aberg is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's New York office.

Areas of Practice

Ms. Aberg’s practice encompasses securities regulation, compliance, and litigation as well as internal investigations and white-collar defense. She frequently represents broker-dealers and associated individuals who are the focus of SEC, FINRA, and other regulatory investigations. She has conducted numerous internal investigations into a wide variety of allegations, including insider trading, unauthorized trading, and other retail brokerage sales practice violations. Ms. Aberg has also represented banks, broker-dealers, securities professionals and individuals in connection with investigations and inquiries by the Department of Justice, FINRA, and the New York Attorney General’s and District Attorney’s Offices.


Representative Experience 

  • The Private Bank division of a global investment bank in connection with ongoing FINRA, SEC and state securities regulatory inquiries and investigations.
  • Senior mortgage finance professionals in RMBS-related investigations and litigations.
  • Financial advisors in connection with SEC investigation into Forex trading platform.
  • A securities broker in DOJ/SEC investigation regarding bond trading practices.
  • A federal savings bank charged with mortgage and securities fraud by the Manhattan District Attorney.
  • An international retailer in a federal civil asset forfeiture action concerning structuring allegations.
  • Skaarup Shipping International in successfully defeating a $50 million prejudgment attachment in the District of Connecticut.
  • CIT Financial Services, Inc. in a New Jersey arbitration over breach of contract.
  • General Dynamics Corp. in filings with the US. Maritime Administration.


  • Government Contracts, Investigations & International Trade
  • Litigation
  • White Collar Defense and Corporate Investigations
Jennifer Le, Sheppard Mullin Law Firm, Los Angeles, Trade Law Attorney

Jennifer N. Le is an associate in the Government Contracts, Investigations and International Trade Practice Group in the firm's Los Angeles office.Ms. Le’s practice comprises predominantly of representing corporations and non-profit organizations in cases involving False Claims Act, Foreign Corrupt Practices Act, U.K. Bribery Act, and related state, federal, and foreign laws. She has experience in managing internal audits and investigations of potential violations of anti-corruption laws and the FCA. She also advises on anti-corruption matters by analyzing risks,...