On Oct. 16, 2018, the U.S. Securities and Exchange Commission (SEC) released a report stating that insufficient prevention of cyberfraud may violate internal accounting control provisions of the Securities Exchange Act of 1934. This report summarizes the SEC’s investigation of nine issuers that lost millions of dollars due to cyberfraud. The report reminded companies of their control requirements and left open the potential for enforcement actions.
Wire-transfer fraud attacks have existed for decades, but incidents have increased significantly over the past few years and methods have become more sophisticated. Business email compromise and social engineering attacks fall under this umbrella, with attackers constantly developing new attack techniques to optimize their return on investment. These attacks have risen 87 percent year-over-year, and while most potential attacks are thwarted, it only takes one key individual to fall victim to an attack to result in significant financial impact.
While the SEC has not issued specific guidance on what companies should do, it would be prudent to implement a proactive framework to help prevent and detect cyberfraud. This framework includes several key facets, including:
- Monitoring email activity to identify suspicious activity
- Enabling multifactor authentication to minimize compromises
- Providing recurring security training
- Performing regular phishing tests
- Flagging all emails from outside domains as “external”
- Implementing a strong password policy
- Actively monitoring email logs
Staying aware of the threats to the company, from social engineering attacks and other external sources, can ultimately mitigate potential reputational harm, financial loss and enforcement actions.