Recently, the Securities and Exchange Commission (SEC) released its “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.” This report laid out the findings of an investigation into nine public companies that had fallen victim to business email compromises (BECs) that resulted in the loss of over $100 million dollars. The attacks were perpetrated via two types of emails – fake executives and fake vendors. The SEC decided to investigate these companies for two reasons:
A Federal Bureau of Investigation (FBI) report on Internet Crime in 2017 found that “so-called ‘business email compromises’ had caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyberfacilitated crime during this period.”
The SEC wanted to determine if these companies had violated Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, which requires companies “to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.”
In the investigation, the SEC found that the BECs that led to the losses were nothing extraordinary or special. The fake executive emails had all of the common elements that we find in these types of phishing attempts – targeted at mid-level personnel, use of spoofed email domains and addresses, emphasis on time-sensitive transactions, need for secrecy, requests for wire transfers to foreign players. The fake vendor emails, although slightly more sophisticated, used similar tactics which resulted in victims paying phony invoices to what they thought were legitimate vendors whose banking information had been “updated” via a previous attack.
Although the SEC decided not to press charges against the nine companies, we should consider this investigation a shot across the bow for public companies – the SEC is watching and they are not liking what they see. The biggest concern is that internal accounting controls are not keeping up with the changes of the digital age. The SEC issued the Commission Statement and Guidance on Public Company Cybersecurity Disclosures to companies in February of this year, emphasizing “Cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.” Based on this latest investigation, it is now obvious that the SEC is telling companies to get their digital, cybersecurity, and internal controls aligned and in order ASAP. As stated in the report, “Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”
What we cannot lose sight of in this report from the SEC is that these large scale breaches were not the result of poorly configured servers, the lack of a physical control on the network, or even a missing DMZ. They were ALL a breach of the “human firewall.” It was yet again another reminder that no matter how sophisticated, expensive, or current your technology is, your weakest link is still with your people. They must also be “hardened” through security awareness training, constant reinforcement, phishing simulations and clear policies and procedures. As the SEC explains, “Systems of internal accounting controls, by their nature, depend also on the personnel that implement, maintain and follow them. In the context of the business email compromises the Division reviewed, the frauds succeeded, at least in part, because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.”
When planning your cybersecurity strategy, think of your employees as individual endpoints that also require securing. Would you leave a laptop without anti-virus? Would you leave default passwords on a server? Would you fail to segment your network? Would you place your wireless printers on an open, public wifi network? If you would not expose your hardware endpoints to attack, why would you leave your “human firewall” open and exposed to attack?