The SEC has issued and investigative report that advises public companies to enhance internal accounting controls to prevent losses from cyber-related frauds. The SEC report describes frauds at 9 issuers that involved spoofing emails and false vendor invoices that resulted in significant losses when internal employees transferred funds to the wrongdoers. One of the companies made 14 wire payments, resulting in a loss of over $45 Million. Another paid 8 invoices totaling $1.5 Million. Although the SEC did not bring enforcement actions against these registrants, the SEC alleges that the companies violated their obligations to implement internal accounting controls sufficient to ensure transactions are only permitted with management’s authorization. In particular, the SEC advises companies to review and enhance their payment authorization and verification procedures and employee training. SEC Chairman Jay Clayton warned: “Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies.”
OUR TAKE: You’ve been warned. The SEC gave these 9 companies a pass, but we don’t expect the same treatment for future violators who should now take action to prevent spoofing and email cyber-frauds.
A large broker-dealer agreed to pay $1.575 Million to FINRA and several exchanges for failing to implement procedures to properly control market access. FINRA asserts that the firm’s weak procedures and controls allowed multiple instances of spoofing, wash trading, and access by unidentified traders. FINRA claims that the firm’s Written Supervisory Procedures did not adequately describe how supervisors and others should follow up on red flags. FINRA charges the firm with violations of the customer protection rule (15c3-5) and the supervision/compliance rule (3110). FINRA explains that the market access rule is “designed to ensure that broker-dealers appropriately control the risks associated with market access, so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities markets, and the stability of the financial system.”
OUR TAKE: The market access rule is fairly specific about the supervisory and compliance requirements. Generalized WSPs and third party technology half-measures won’t satisfy the regulators or the exchanges. We call this “compliance voodoo”: the appearance of a compliance infrastructure without actually stopping (or even facilitating) the targeted wrongdoing.