The U.S. Securities and Exchange Commission (SEC) has issued a stern warning to public companies: tighten cybersecurity controls or risk being in violation of federal law.
The regulator issued a report based on the SEC Enforcement Division’s investigations of nine public companies that lost millions of dollars as the result of cyber fraud. The companies, which each had securities listed on a national stock exchange, were in sectors including technology, machinery, real estate, energy, financial, and consumer goods.
The SEC’s investigations focused on “business email compromises” (BECs), where criminals posed as company executives or vendors and used emails to trick employees into sending large sums to fraudulent bank accounts. The activity sometimes lasted months and was often only discovered after law enforcement or other third parties got involved.
Each of the companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. In total, the nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable.
“Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies,” SEC Chairman Jay Clayton said in a press release. “Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”
The agency has warned that companies subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”
“In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” said Stephanie Avakian, co-director of the SEC Enforcement Division.