The SEC has issued and investigative report that advises public companies to enhance internal accounting controls to prevent losses from cyber-related frauds. The SEC report describes frauds at 9 issuers that involved spoofing emails and false vendor invoices that resulted in significant losses when internal employees transferred funds to the wrongdoers. One of the companies made 14 wire payments, resulting in a loss of over $45 Million. Another paid 8 invoices totaling $1.5 Million. Although the SEC did not bring enforcement actions against these registrants, the SEC alleges that the companies violated their obligations to implement internal accounting controls sufficient to ensure transactions are only permitted with management’s authorization. In particular, the SEC advises companies to review and enhance their payment authorization and verification procedures and employee training. SEC Chairman Jay Clayton warned: “Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies.”
OUR TAKE: You’ve been warned. The SEC gave these 9 companies a pass, but we don’t expect the same treatment for future violators who should now take action to prevent spoofing and email cyber-frauds.