SEC releases guidance on cyber-related fraud and accounting controls for public companies

Organizations should evaluate cyber frameworks and business processes to address cyber-related fraud risk and related controls.

The Securities and Exchange Commission (SEC) released guidance on cyber-related fraud and related internal accounting controls requirements on October 16, 2018. The new guidance follows an investigation of nine publicly traded companies that collectively lost more than $100 million as a result of email fraud. The investigation looked into two types of fraud: 1) “spoofed” emails that appeared to come from company executives and 2) emails from hacked vendor accounts directing changes to the vendor’s banking information and submitting what appeared to be legitimate invoices.

Although action was not taken against the companies being investigated, the SEC found the incidence of fraud to be serious enough to warrant clarification. As such, the new guidance instructs organizations to consider that “cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.”

Why this is important

The new guidance provides some clarification on the intersection of cybersecurity and accounting controls – an area not addressed explicitly in compliance regulations. Companies can use the guidance to educate themselves on evolving cyber-related risks and evaluate the accounting and email safeguards they have in place.

What you need to know

The new guidance from the SEC recommends that companies:

• Develop and implement internal accounting controls that protect assets from cyber-related fraud. In particular, the guidance instructs companies to consider the obligations imposed by Section 13(b)(2)(B) of the Securities and Exchange Commission Act of 1934, which requires public companies to “devise and maintain a sufficient system of internal accounting controls.”
• Ensure appropriate management authorization for employees to conduct transactions and access assets. Build in accounting controls that assure management provides sufficient authorization for company financial transactions and that access to assets is properly authorized, as per Sections 13(b)(2)(B)(i) and (iii).

What you should do now

Based on the guidance, companies should re-evaluate business processes and implement technical safeguards within their cybersecurity plans. In particular, they should:

• Evaluate business process controls: While email fraud itself is often rooted in weak cybersecurity practices, most aspects of fraud prevention are entirely in the hands of humans. Companies should implement tools, processes and training to help staff members identify potentially fraudulent email. In particular, the identity of senders and the authenticity of their requests should be validated. Email that requests exceptional transaction handling or changed payment delivery should be carefully reviewed and verified. It is important to employ a consistent message (tone) from the top, making clear that asking questions is not only acceptable, but expected. Leaders should celebrate the individuals who sound the alarm bells on fraud. The people who get it right are the best examples for others. 
  
   
• Implement technical safeguards to protect email accounts: All companies should review their risk of email fraud. Minimally, the following questions should be answered:
• Can company email accounts be misused to send fraudulent email?
• Do sufficient safeguards exist to detect the receipt of fraudulent email?
• Is there a documented incident response plan for handling potentially fraudulent email?
• What threat sources may attempt to exploit a company’s email sending or reception vulnerabilities?

Additionally, companies should actively work to reduce this risk by regularly anticipating, detecting and mitigating human and technical vulnerabilities that weaken email security or allow fraudulent transactions.

Security experts can verify whether key executives’ passwords or other sensitive information, which may be used in a fraud scheme, have been compromised and are available on the Internet.  

Risk mitigation might entail implementing two-factor authentication and password hygiene programs to better protect email accounts or implementing transactional non-repudiation safeguards.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.