The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in which attackers take over accounts on a company’s email system and use that access to trick company personnel into paying large sums to bank accounts controlled by the attackers. The attackers often divert funds intended for employees, contractors or vendors, and the SEC’s report notes that the frauds sometimes last months and are only detected when law enforcement intervenes or the real payee complains that payments never arrived.
Although the SEC did not charge the nine companies it investigated, it warns that a company’s failure to prevent or detect these fraud schemes could support a charge that the company failed to implement sufficient internal accounting controls, as required by Section 13(b)(2)(B) of the Securities Exchange Act of 1934. Notably, if the SEC filed charges under this theory, it would not be for technical security failures that led to an email account’s compromise (e.g., a lack of multifactor authentication on remote email access); rather, the charges would relate to insufficient policies and procedures in the company’s internal accounting controls that failed to prevent or detect the fraud. In fact, although the SEC framed this issue as one related to “cyber threats,” not one of the nine cases the report highlights involve a compromise of the victim company’s email system or network. In some of the reported cases, the companies fell victim to a spoofed email request, in which the attacker sent the fraudulent payment request from a fake account that appeared similar to one belonging to an executive at the victim company. In the other cases, the attackers compromised email accounts at one of the victim companies’ business partners, and used the vendors’ compromised accounts to dupe the victim companies.
Besides highlighting the continuing risk to all organizations posed by BEC frauds, this report again illustrates why organizations must implement comprehensive risk management programs that assess risks across all three domains: people, processes and technology. An organization that focuses too heavily on assessing only technical risk may miss the weaknesses in its people and processes that allow a simple social-engineering attack to succeed. And although the SEC frames its warning here as one related to cyber risk, its real concern is companies’ failure to adequately asses risk scenarios and address fraud schemes through good internal accounting controls, regardless of whether an attacker initiates the fraud through an email compromise, spoofed email message or some other pure social-engineering attack such as a phone call.
To address these threats and the SEC’s concerns, companies should take a layered approach driven by a comprehensive risk management program that starts with a proper risk assessment. First, assess technical vulnerabilities that an attacker could exploit to compromise an internal email account or other remote system. Attackers who gain access to internal email accounts and data stores can launch more convincing fraud schemes because they learn about the victim company’s people and processes by reading internal documents, and because they send the fraudulent requests from legitimate internal accounts. Consider implementing multifactor authentication on remote access to all email systems and other network resources, including third-party cloud-based sites. Also consider technical controls that help identify and block spoofed emails (e.g., warning banners, DMARC, and filters that block emails from recently registered domains).
Second, assess administrative vulnerabilities that could allow an attacker to manipulate your payment process and accounting systems. Consider, for example, requiring a second-level approval of account changes and payments to new vendors, or payments over a certain amount. The second approval should be through an alternate channel (e.g., if the first request came in by email, the validation could be a phone call to a known-good number).
Finally, assess the need to provide special training to employees in sensitive positions to increase awareness of attacks likely to target them. Finance employees should receive training on BEC, social-engineering and general fraud schemes likely to target them, as determined by the company’s continuous risk assessment process and evaluation of emerging threats. Also train employees to not implicitly trust requests that originate from an internal email, instant-message or collaboration system – all these systems have been compromised by attackers to further fraud schemes in prior cases.
Companies with a comprehensive risk management program that addresses risk scenarios across its people, processes and technology will be better prepared to prevent and detect these attacks, and will minimize the chance of regulatory scrutiny if an incident should still occur.