Home > Risk > SEC investigates cyber-related frauds

SEC investigates cyber-related frauds

October 21, 2018 Leave a comment Go to comments

On October 16th, the US Securities and Exchange Commission published Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.

This is an important report that risk and audit professionals should read and consider. They should also consider bringing it to the attention of the board and its audit committee.

The SEC investigated cyber-related frauds against “nine issuers that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors”.

They said that:

“Each of the nine issuers lost at least $1 million; two lost more than $30 million. In total, the nine issuers lost nearly $100 million to the perpetrators, almost all of which was never recovered. Some of the investigated issuers were victims of protracted schemes that were only uncovered as a result of third-party actions, such as through detection by a foreign bank or law enforcement agency. Indeed, one company made 14 wire payments requested by the fake executive over the course of several weeks—resulting in over $45 million in losses—before the fraud was uncovered by an alert from a foreign bank. Another of the issuers paid eight invoices totaling $1.5 million over several months in response to a vendor’s manipulated electronic documentation for a banking change; the fraud was only discovered when the real vendor complained about past due invoices.”

The report described the schemes used, generally the result of spoofs that fooled company management and staff.

The SEC had previously issued guidance related to the disclosure of cyber-related risks and incidents. Commission Statement and Guidance on Public Company Cybersecurity Disclosures should be read and understood for its implications for risk management and on a company’s disclosure controls and procedures (the adequacy of which the CEO and CFO are required to attest in their quarterly and annual filings by s302 of the Sarbanes-Oxley Act of 2002).

In this report, the SEC states:

In light of the risks associated with today’s ever expanding digital interconnectedness, public companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds. More specifically, Section 13(b)(2)(B)(i) and (iii) require certain issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” As the Senate underscored when these provisions were passed, “[t]he expected benefits from the conscientious discharge of these responsibilities are of basic importance to investors and the maintenance of the integrity of our capital market system.”

Please note that the legal requirement to have internal controls that prevent and, if necessary, detect frauds is not new. The guidance in this new report by the SEC simply points out that the system of internal control should address the risk of fraud due to cyber-related activities. Those should include not only the spoofs discussed in the SEC report, but also any losses due to hackers breaching cyber defenses.



SOX s404 still requires a top-down and risk-based approach that will prevent or detect, on a timely basis, a material misstatement (error or omission) of the financial statements that are filed with the SEC.


  1. Internal Control over Financial Reporting for SOX s404 only needs to address frauds that might be material (in amount or based on a qualitative factor, in rare cases) to the prudent investor.
  2. Even those only need to be covered by the s404 scope if they would result in a misstatement of the financials filed with the regulator. If the fraud loss is correctly recorded and reported as an operating expense, the financials are not This is expressly stated in Auditing Standard No. 5.
  3. However, it is appropriate to have controls that will prevent or detect lower levels of cyber-related fraud when doing so makes good business sense – in other words when justified by the level of risk to the business. The controls that address the lower levels of risk should not be included in scope for SOX.


So, read the report (and the earlier guidance on disclosures) and discuss what it means to your organization. But don’t rush to add non-material cyber-related fraud to your scope for SOX.


I welcome your comments.

  1. October 22, 2018 at 9:04 AM

    Very good!

  2. Aninda Sadhukhan
    October 22, 2018 at 10:01 AM

    My initial take is a control that demonstrates employee information security awareness training should suffice. But COSO 2013 has guided to that already. Those who effectively adopted COSO 2013 should have this control in place already. Question is, does the control now become a key control that is routinely tested by IA.

    • Norman Marks
      October 22, 2018 at 10:05 AM

      I don’t think that is sufficient to address the risk in most organizations. It may serve to some extent for spoofing, but there are tools that may help. The issue is not limited to spoofing or emails with links.

      Companies should understand the risk and have controls appropriate to that level of risk.

      Internal audit should pick its audits based on the level of risk and not perform the same work every year.

      • Aninda Sadhukhan
        October 23, 2018 at 8:23 AM

        I guess being an technology auditor, I wasn’t thinking about the entire process. I recall the report specifically mentions accounting controls. Would you say in addition to training, there needs to be accounting controls around P2P process? As in, how are expenses paid out, who approves them and what level of support (three-way match) is maintained for each invoice.

        “Internal audit should pick its audits based on the level of risk and not perform the same work every year.”
        Alas! So many IA shops are not even on version 1.0.

  3. October 24, 2018 at 12:15 PM

    Norman, you may also be interested in this court case which places responsibility for an employee’s actions with the employer. The employee was an internal auditor! https://www.bbc.co.uk/news/business-45943735

  1. October 22, 2018 at 11:47 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: