The report focuses on the internal accounting controls of nine issuers in a range of sectors “that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors,” commonly referred to as business e-mail compromise (BEC) scams. According to the SEC’s report each of the nine issuers lost at least $1 million; two lost more than $30 million. In total, the nine issuers lost nearly $100 million to the perpetrators, almost all of which was never recovered.

What Is a BEC Scam?
As described in the SEC’s report, a BEC scam occurs when attackers use compromised or fraudulent e-mail addresses to target specific employees within organizations and ask them to participate in what appear to be legitimate transactions or to make changes to key payment or vendor information.

The scam typically involves the hacking of an individual’s e-mail account, which is then used to send e-mails to other individuals within an organization or outside of it (e.g., to customers). This occurs more commonly in hosted e-mail solutions that are not protected by multifactor authentication (MFA). It also occurs in scenarios in which hackers are able to set up rules for e-mail forwarding and deleting to monitor and remove communications that may be used to detect the unauthorized use of the e-mail address. Fraudulent or spoofed e-mails commonly look similar to or have domain names that are similar to legitimate correspondence.

The SEC’s Check of Internal Accounting Controls
The SEC considered whether the companies affected by the BECs complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, under which certain issuers are required to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.” Further, the report emphasized that “while the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not.”

The full version of the SEC’s Report on investigation is available here.

You can find more information about BEC Scams in Heads Up (Volume 25, Issue 18) issued by Deloitte on 30 October 2018. The following topics are covered in the article in detail:

How does a BEC Scam occur?
How Can BEC Scams Be Identified and Avoided?
What Controls May Help Companies Prevent or Detect These Types of Cybercrimes?
SEC’s Focus on Cybersecurity

The cybersecurity landscape continues to evolve, and schemes like the ones described in the SEC’s report are increasing as more economic activities take place through digital technology and electronic communications. The BEC examples described above underscore the importance of devising and maintaining a system of internal accounting controls to address this kind of cyber-related fraud. Training and user security awareness play critical roles in both the implementation and operating effectiveness of controls.

Sources:
Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934  Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements

Heads Up — Cyber threat considerations related to implementation of internal accounting controls

The article is part of dReport – December 2018, Accounting news.