Cyber Threat Considerations Related to Implementation of Internal Accounting Controls
In response to the continued increase in cybercrime, the SEC issued an investigative report1 on October 16, 2018, that cautioned companies to consider cyber threats when they are implementing their internal accounting controls. The report focuses on the internal accounting controls of nine issuers in a range of sectors “that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors,” commonly referred to as business e-mail compromise (BEC) scams. The SEC considered whether the companies affected by the BECs complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, under which certain issuers are required to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.” Further, the report emphasized that “[w]hile the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not.”
What Is a BEC Scam?
As described in the SEC’s report, a BEC scam occurs when attackers use compromised or fraudulent e-mail addresses to target specific employees within organizations and ask them to participate in what appear to be legitimate transactions or to make changes to key payment or vendor information. The scam typically involves the hacking of an individual’s e-mail account, which is then used to send e-mails to other individuals within an organization or outside of it (e.g., to customers). This occurs more commonly in hosted e-mail solutions that are not protected by multifactor authentication (MFA). It also occurs in scenarios in which hackers are able to set up rules for e-mail forwarding and deleting to monitor and remove communications that may be used to detect the unauthorized use of the e-mail address. Fraudulent or spoofed e-mails commonly look similar to or have domain names that are similar to legitimate correspondence.
How Does a BEC Scam Occur?
Cyber criminals use publicly available information from company Web sites, directories, databases, and social media platforms to target company executives as well as specific employees in organizational areas such as finance or human resources. The following six types of BEC scams are prevalent:
Changed vendor payment details
A fraudulent e-mail sent from an attacker posing as a company vendor with new payment or bank routing information used to falsely redirect vendor invoice payments.
Changed employee payroll details
A fraudulent e-mail sent from an attacker posing as an employee with advice about new payment or bank routing information used to falsely redirect payroll checks or deposits.
Hacked or replicated e-mail domains of managers or directors used to send out requests to the finance team to make an urgent payment.
Fraudulent e-mail request
Fraudulent e-mail requesting that employees transfer funds related to a fictitious invoice or transaction. This can be done by hacking, by using social engineering (i.e., use of deception to manipulate individuals into divulging confidential or personal information), or by using domain names that resemble legitimate ones.
The impersonation of lawyers or executives requesting the urgent or immediate transfer of funds related to confidential matters.
Using a compromised e-mail to target human resources or finance departments to fraudulently request employee records. This information can then be used for further BEC scams or for identity fraud.
How Can BEC Scams Be Identified and Avoided?
A pervasive theme in BEC scams is that an individual employee gives the hacker access to an e-mail account, generally by clicking a link in an e-mail or by downloading a file through a phishing attack. A BEC scam can also occur when an employee completes a requested action on the basis of a fraudulent or spoofed e-mail. Companies should consider enhancing their security awareness programs with improved employee training to prevent these attacks and should remind employees of the following BEC scam characteristics:
- Content — Does the e-mail ask you to click an unfamiliar link or download an attachment, does the e-mail contain errors, or is its language or the request illogical or unusual?
- Hyperlinks — If you hover the mouse over a hyperlink, does the content match the actual link?
- Attachments — If the e-mail contains an attachment, is the title or format of the attachment unfamiliar or different from the information in the request?
- Address — Does the business name noted in the e-mail match the business name? If it claims to be from an internal source, are there discrepancies in the spelling or order of the name, or is it from an outside source that is suspicious?
- Subject — Is the text in the subject line irrelevant or different from the content of the e-mail? For example, it may state that it is a reply to an e-mail that you have not sent.
What Controls May Help Companies Prevent or Detect These Types of Cybercrimes?
In addition to raising the general security awareness of employees, companies should evaluate the design and operation of those controls that may help prevent or detect successful BEC scams. The following are some examples of general information technology (IT) and business process controls that companies should consider as part of a layered defense strategy regarding BEC:
General IT Controls
MFA — IT access
MFA is implemented to validate that authorized users are authenticated before gaining access to the system.
A frequently used control is the implementation of application-based MFA for hosted e-mail solutions. MFA can help prevent a hacker from accessing a hosted e-mail solution that would then be used by the hacker to send e-mails from a compromised company e-mail address.
Virtual private network (VPN)
Controls are implemented to restrict VPN access to authorized and appropriate users.
Many organizations already use VPN to authenticate users who attempt to gain access to an organization’s internal network from a remote location. Applications and infrastructure are placed behind the organization’s firewall and therefore are unable to be accessed until the user connects to the VPN.
Secure e-mail gateways
Controls are implemented to encrypt and decrypt e-mail to prevent unauthorized disclosure of information.
Strong security controls associated with inbound and outbound e-mail traffic are necessary to help prevent unauthorized disclosure of information.
Controls are implemented to restrict malicious material from being delivered over a Web browser or e-mail.
Preventing users from accessing malicious Web addresses helps avoid unauthorized disclosure of sensitive information such as the username and password an employee uses for authentication. Preventive controls in the e-mail gateway further reduce the likelihood that a malicious e-mail is delivered to an inbox.
Endpoint protection (e.g., antivirus, anti-malware) is implemented to prevent malicious software from running.
If enterprise-wide preventive controls fail to detect and mitigate the threat before a user sees it, endpoint protection may add an additional mitigation step to prevent unauthorized use of computer resources.
Business Process Controls
Authorization verification controls
Controls to validate that users are authorized to request changes to bank routing or other payment information.
These controls can be used to prevent unauthorized changes to payroll or payment bank routing information. They include authenticating an e-mail request, calling the authorized vendor representative or the employee, or requesting physical verification through a cancelled check.
Review of vendor or employee master file changes
Management reviews all changes to the vendor or payroll master file.
The review of all vendor master file changes by a supervisor or manager may help reduce the risk of fictitious or fraudulent changes to the vendor master file, including changes to vendor payment bank routing information. Such a review would include verification of the change to authenticated requests.
Controls to confirm payment information with vendor or employee.
A confirmation message is sent to a vendor or employee when a change to bank routing information is made so that the vendor or employee can verify the authentication of the change.
Bear in mind the following:
- The cybersecurity landscape continues to evolve, and schemes like the ones described above and in the SEC’s report are increasing as more economic activities take place through digital technology and electronic communications.
- The BEC examples described above underscore the importance of devising and maintaining a system of internal accounting controls to address this kind of cyberrelated fraud.
- Training and user security awareness play critical roles in both the implementation and operating effectiveness of controls.
While the SEC’s report states that “the Commission is not suggesting that every issuer that is the victim of a cyber related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws,” it also emphasized that companies must “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” The above considerations, while not intended to be comprehensive, may be useful in a company’s evaluation of its internal controls for preventing BEC scams.
SEC’s Focus on Cybersecurity
The SEC’s release of the investigative report is consistent with the Commission’s focus on the evolving risks associated with cybersecurity. Cybersecurity remains a priority for the SEC Enforcement Division’s recently created Cyber Unit, which continues to target cyber-related misconduct.
In addition, on February 21, 2018, the SEC issued interpretive guidance2 (the “release”) in response to the pervasive increase in digital technology as well as the severity and frequency of cybersecurity threats and incidents. The release largely refreshes existing SEC staff guidance related to cybersecurity (e.g., CFDG Topic 23) and, like that guidance, does not establish any new disclosure obligations but rather presents the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents. However, the release does address topics not discussed in previously issued SEC releases, such as (1) disclosures about a corporate board’s risk oversight, (2) insider trading policies, and (3) SEC Regulation FD (on fair disclosure) and selective disclosure. For more information, see Deloitte’s February 23, 2018, Heads Up.
Further, in its recently issued strategic plan for fiscal years 2018–2022, the SEC identified an initiative to “focus on ensuring that the market participants we regulate are actively and effectively engaged in managing cybersecurity risks and that these participants and the public companies we oversee are appropriately informing investors and other market participants of these risks and incidents.” Accordingly, registrants should consider evaluating both their controls and disclosures related to cybersecurity as risks evolve and update them as needed.
SEC Investigative Report Release No. 84429, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.
SEC Interpretation No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.
SEC CF Disclosure Guidance: Topic No. 2, Cybersecurity.