By Joshua Mooney and Andrew Lipton, White and Williams LLP
On October 16, 2018, the Securities and Exchange Commission’s (SEC) Division of Enforcement issued a report on Cyber-Related Frauds Against Public Companies and Related Internal Accounting Controls Requirements (the Report) warning that a public company’s failure to implement adequate cybersecurity controls to address the risk of “business email compromises” (BECs) may violate Sections 13(b)(2)(B) of the Securities Exchange Act of 1934 (the 1934 Act). This Report foretells a potentially seismic shift in securities regulation for cybersecurity, and the agency’s interpretation of the 1934 Act should be a stark warning to companies that have not taken affirmative steps to address risks posed by phishing attacks.
The Report arguably builds upon the SEC’s February 21, 2018 guidance on cyber disclosure by publicly traded companies, which advised companies to disclose cyber risks that are material, including amending prior filings to the extent such material risks were not adequately disclosed. Given the Report’s focus on “internal controls,” public companies and legal practitioners should anticipate that the existence and sufficiency of such controls will be a critical component of SEC regulation, investigations, and enforcement actions with respect to public companies’ disclosure and handling of cybersecurity risk and events. Further, if the SEC views cybersecurity controls as crucial for financial disclosures, as required by existing statutory regimes, i.e., the Sarbanes-Oxley Act and the 1934 Act, then the SEC should be expected to view cybersecurity controls as critical for compliance with federal securities laws. With this new shift, the SEC soon may require individual directors and officers to certify their companies’ compliance with cybersecurity controls, just as executive management for certain companies must do under New York’s cybersecurity regulations. This requirement, in turn, may create a new breeding ground for shareholder class actions and derivative actions. As discussed below, the SEC’s Report may be a vanguard of new and significant changes.
I. What are BECs?
BECs are a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the email’s recipient into wiring money to them. A company employee (typically, a lower-level employee) will receive a false email ostensibly coming from a trusted source (a company executive or established vendor) instructing that a payment be wired to a specified bank account that the fraudster controls. Many times, these phishing emails have a time pressure component (i.e., “I will need the payment wired ASAP”), an impatient tone (“This is the third time we’ve made this request”), or involve a matter of “critical nature” (“This is vital to the company’s new strategic initiative”) in order to intimidate the recipient and inhibit him or her from questioning the request. In every successful BEC attack, the wiring instructions are followed, and payment(s) is/are sent. Once the money is wired, the funds are withdrawn by the fraudster, and the money is irretrievable.
BECs represent a significant risk to U.S. companies and to the economy as a whole. In a recent report, the Federal Bureau of Investigation estimated that BECs have caused over $5 billion in losses since 2013. The same report concludes that the loss totals for 2017 alone, approximately $675 million, represented the highest estimated out-of-pocket loss from any class of cyber-facilitated crime that year. What makes BECs so dangerous is their simplicity. Although false emails ostensibly coming from vendors can be a sophisticated endeavor because they may involve a successful intrusion into the vendors’ network and system, generally, BECs do not involve sophisticated frauds schemes or technology. Instead, they prey upon distraction, intimidation, and imitation – all weaknesses in human nature. Compounding the damage caused by BECs is the uncertainty of insurance coverage. Courts have struggled to understand the technology at issue and in turn have issued conflicting decisions.
II. Implementing Internal Controls
The SEC long has recognized the significance of cyberattacks. It now has zeroed in on BECs. According to the SEC, the threat posed by BECs “underscore[s] the importance of devising and maintaining a system of internal accounting controls,” including training, to “protect assets in compliance with the federal securities laws.” Recognizing that BECs and other phishing attacks represent “an ever-increasing part of the cybersecurity threats faced by a wide variety of businesses,” the SEC now states that “public companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” Sections 13(b)(2)(B) (i) and (iii) state:
(2) Every issuer which has a class of securities registered pursuant to section 12 of this title [15 U.S.C. § 781] and every issuer which is required to file reports pursuant to section 15(d) of this title [15 U.S.C. § 780(d)] shall –
* * *
(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that–
(i) transactions are executed in accordance with management’s general or specific authorization;
* * *
(iii) access to assets is permitted only in accordance with management’s general or specific authorization[.]
The Report concludes that these provisions now require public companies (governed by Sections 12 and 15(d)) to undertake affirmative steps through the implementation of cybersecurity controls to mitigate the risks posed by BECs and similar phishing attacks. Critically, this interpretation of Sections 13(b)(2)(B) (i) and (iii) easily may be applied to any significant cyber risk or known variant of cyberattack. Because companies with appropriate technical and administrative data security procedures are in a far better position to detect and prevent a successful cyberattack, the SEC is using existing securities laws to ensure that companies take affirmative steps to implement such safeguards. In essence, the SEC is charting new waters.
Moreover, the SEC’s focus on the human factor in cybersecurity risks should not be underestimated. For example, the SEC notes that “there were numerous examples where the recipients of the fraudulent communications asked no questions about the nature of the supposed transactions, even where such transactions were clearly outside of the recipient employee’s domain.” The Report further notes that “[h]aving internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets,” and observes that “[s]ystems of internal accounting controls, by their nature, depend also on the personnel that implement, maintain, and follow them.” This focus suggests that while an SEC investigation may center upon technical and administrative aspects of any public company’s cybersecurity program, the agency also would investigate steps undertaken by the company to ensure effective implementation, including training. Simply, it is not enough to have a written security program in place. The program’s implementation must be effective.
To be clear, the Report does not endorse a one-size-fits-all approach. In the Report, the SEC states that companies “subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” The Report also emphasizes that every public company that is a victim of a BEC is not necessarily in violation of federal securities laws. Instead, companies should ensure that they have reasonable measures in place and confirm that those measures have been implemented effectively. Companies “should evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems,” and be mindful whether internal controls already in place “are sufficient to provide reasonable assurances in safeguarding their assets from these risks.” Those companies that do nothing, or fail to ensure that existing security controls address current risks and are implemented, may face an SEC enforcement action in addition to any loss suffered from a phishing attack. The Report is a clear example of how regulators are looking to existing laws to address ever-evolving cyber risks.
III. Forecasting Changes in Cybersecurity Enforcement
The SEC’s February 21, 2018 cybersecurity guidance for public companies emphasizes, among other things, that companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to accurately and timely disclose cybersecurity risks and incidents. Companies are also required to assess whether they have sufficient disclosure controls and procedures to ensure that relevant information about cybersecurity risks and incidents is processed and reported. Thus, the SEC’s most recent Report should not come as a great surprise. Yet, the Report may forecast significant changes.
The purpose of having strong disclosure controls is to assist companies in satisfying stringent disclosure obligations under the federal securities laws, including personal certification of disclosure executed by senior management under Sarbanes-Oxley. Further, the Report clearly signals that the SEC will place the responsibility of having adequate cybersecurity controls on management, an approach that already exists for internal controls over financial reporting under Section 404 of Sarbanes-Oxley. Thus, a pattern is emerging that suggests the SEC will replicate Sarbanes-Oxley requirements for cybersecurity controls. In other words, cybersecurity controls are not a component of risk management, they are an integral part of internal accounting controls themselves. If this is the case, the SEC may soon require executed certifications by individual directors and officers regarding cybersecurity controls, an approach that would place new obligations and pressure on senior management. The approach also would open new avenues for shareholder class action and derivative lawsuits. Such new liability, in turn, likely would lead to an increase in claims and costs, ultimately to be borne by D&O insurers, cybersecurity insurers, and their insureds.
The SEC’s October 16, 2018 Report should be viewed as a guidepost along a path that the SEC is charting for cybersecurity enforcement. The February 21, 2018 guidance required disclosure of risks; by requiring implementation of cybersecurity controls, the Report has now taken the next critical step. The Report may be a preview of the type of cybersecurity control enforcement actions that the SEC may pursue in the future. Public companies, and D&O and cybersecurity insurers should take notice.
Joshua Mooney is a partner of White and Williams LLP in Philadelphia, and is Co-Chair of the firm’s Cyber Law and Data Protection group.
Andrew Lipton is an associate at White and Williams LLP, New York office, and is a member of the firm’s Cyber and Directors & Officers group.
 The full name of the SEC Investigative Report is Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Release No. 84429 (October 16, 2018), available at https://www.sec.gov/litigation/investreport/34-84429.pdf.
 See 15 U.S.C. § 78m(b)(2)(B)(i) and (iii).
 23 NYCRR Part 500.17.b.
 Report at 4. The Report on nine BECs involving a collective loss of approximately $100 million. Two of the nine companies lost in excess of $30 million. Id. at 3.
 Compare Medidata Solutions, Inc. v. Federal Ins. Co., 2018 U.S. App. LEXIS 18376 (2d Cir. July 6, 2018), and American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 2018 U.S. App. LEXIS 19208 (6th Cir. July 13, 2018) with Apache Corp. v. Great Amer. Ins. Co., 662 Fed App’x 252 (5th Cir. 2016) and Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., 719 Fed App’x 701 (9th Cir. 2018); see also J. Mooney, Medidata & American Tooling Misunderstood Tech, Law360 (Sept. 24, 20108), available at www.law360.com.
 Report at 5.
 15 U.S.C. § 78m(b)(2)(B)(i) and (iii).
 Report at 6.
 Report at 7.
 R. Borden, A. Kane, K. Woods, “SEC Updated Guidance on Cyber Disclosure” (Feb. 22, 2018) available at https://cyber.whiteandwilliams.com/2018/02/sec-updated-guidance-on-cyber-disclosure-by-publicly-traded-companies-in-a-digitally-connected-world/.