On October 16, 2018, the SEC issued a 21(a) report announcing that it had investigated whether certain public companies that were victims of oftentimes unsophisticated, cyber-related frauds had violated federal securities laws by failing to have a sufficient system of internal accounting controls in place to detect these events.
Focus of SEC Report
The report focused on two common cyber frauds involving spoofed or otherwise compromised electronic communications. The first involved emails that purported to be from senior executives within the company (typically, the CEO) but in fact were from spoofed email domains. The second involved emails from fake vendors. This form of scam was more technologically sophisticated than the fake executive emails as in certain instances it involved intrusions into the email accounts of the companies’ foreign vendors. Each of the nine companies referenced in the report lost at least $1 million as a result of these scams and two lost more than $30 million. In total, the companies lost nearly $100 million to the thieves, almost all of which was never recovered.