Regulatory Cybersecurity Alert: SEC Issues Investigative Report Regarding Cyber Threats Against Public Companies and Their Internal Accounting Controls

October 17, 2018

On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) issued a press release regarding the results of the SEC’s investigative report on “business email compromises” (BECs) perpetrated against nine public companies. A BEC is a cyber incident in which bad actors using email pose as executives or vendors in order to dupe companies into wiring large sums of money into bank accounts controlled by the perpetrators.

As part of its investigation, the SEC looked into BEC fraud experienced by nine public companies in a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods. Total losses resulting from the BECs were nearly $100M, with one company losing more than $45M. These losses were largely unrecoverable. The SEC did not bring charges against any of the companies investigated.

In the press release, the SEC warns public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 that they should “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”

Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in the press release, "In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations."

Commenting on the investigative report, Askari Foy, Managing Director at ACA Aponix and former Head of the SEC’s National Technology Controls Program, said, "Public companies should enhance their training programs to simulate fraudulent activity such as BECs to ensure employees are educated and prepared to help prevent cyber-attacks."

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures regarding business email compromises and related cybersecurity incidents:

  • Establish procedures and controls for wire transfers. Ensure that all transfers rigorously follow these procedures, without exception.
  • Procure cybersecurity insurance that covers social engineering and/or fidelity bonds that could help mitigate losses in the event of an attack.
  • Establish strict identification protocols for any financial transactions. Never rely on email contact alone.
  • Continually educate staff how to identify BECs, phishing, and related social engineering schemes.
  • Review cash controls and assess cybersecurity risk at portfolio companies.
  • Public companies should review the SEC’s guidance for cybersecurity disclosures.

How ACA Can Help

ACA Aponix offers the following solutions that can help your firm protect itself from breaches, or related cybersecurity risk:

For More Information

If you have questions, please contact your regular ACA Aponix consultant or email us at