The Securities and Exchange Commission (SEC) released guidance on cyber-related fraud and related internal accounting controls requirements on October 16, 2018. The new guidance follows an investigation of nine publicly traded companies that collectively lost more than $100 million as a result of email fraud. The investigation looked into two types of fraud: 1) “spoofed” emails that appeared to come from company executives and 2) emails from hacked vendor accounts directing changes to the vendor’s banking information and submitting what appeared to be legitimate invoices.
Although action was not taken against the companies being investigated, the SEC found the incidence of fraud to be serious enough to warrant clarification. As such, the new guidance instructs organizations to consider that “cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.”
The new guidance provides some clarification on the intersection of cybersecurity and accounting controls – an area not addressed explicitly in compliance regulations. Companies can use the guidance to educate themselves on evolving cyber-related risks and evaluate the accounting and email safeguards they have in place.
The new guidance from the SEC recommends that companies:
Based on the guidance, companies should re-evaluate business processes and implement technical safeguards within their cybersecurity plans. In particular, they should:
Additionally, companies should actively work to reduce this risk by regularly anticipating, detecting and mitigating human and technical vulnerabilities that weaken email security or allow fraudulent transactions.
Security experts can verify whether key executives’ passwords or other sensitive information, which may be used in a fraud scheme, have been compromised and are available on the Internet.
Risk mitigation might entail implementing two-factor authentication and password hygiene programs to better protect email accounts or implementing transactional non-repudiation safeguards.
For more information, contact Baker Tilly’s Cybersecurity & IT Risk practice. You can also download our ebook “Roadmap to Building a Sustainable Cybersecurity Management Program” or learn more about our cybersecurity services.