{"id":173,"date":"2018-10-29T16:20:41","date_gmt":"2018-10-29T20:20:41","guid":{"rendered":"https:\/\/pbacyber.com\/?p=173"},"modified":"2018-10-29T16:23:39","modified_gmt":"2018-10-29T20:23:39","slug":"trick-or-treat-does-the-secs-october-report-signal-a-new-shift-in-cybersecurity-enforcement","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/10\/29\/trick-or-treat-does-the-secs-october-report-signal-a-new-shift-in-cybersecurity-enforcement\/","title":{"rendered":"Trick or Treat: Does the SEC\u2019s October Report Signal a New Shift in Cybersecurity Enforcement?"},"content":{"rendered":"<p>By Joshua Mooney and Andrew Lipton, <a href=\"https:\/\/www.whiteandwilliams.com\" target=\"_blank\" rel=\"noopener\">White and Williams LLP<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>On October 16, 2018, the Securities and Exchange Commission\u2019s (SEC) Division of Enforcement issued a report on <em>Cyber-Related Frauds Against Public Companies and Related Internal Accounting Controls Requirements<\/em> (the Report)<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a> warning that a public company\u2019s failure to implement adequate cybersecurity controls to address the risk of \u201cbusiness email compromises\u201d (BECs) may violate Sections 13(b)(2)(B) of the Securities Exchange Act of 1934 (the 1934 Act).<a href=\"#_ftn2\" name=\"_ftnref2\">[2]<\/a> This Report foretells a potentially seismic shift in securities regulation for cybersecurity, and the agency\u2019s interpretation of the 1934 Act should be a stark warning to companies that have not taken affirmative steps to address risks posed by phishing attacks.<\/p>\n<p>&nbsp;<\/p>\n<p>The Report arguably builds upon the SEC\u2019s February 21, 2018 guidance on cyber disclosure by publicly traded companies, which advised companies to disclose cyber risks that are material, including amending prior filings to the extent such material risks were not adequately disclosed. Given the Report\u2019s focus on \u201cinternal controls,\u201d public companies and legal practitioners should anticipate that the existence and sufficiency of such controls will be a critical component of SEC regulation, investigations, and enforcement actions with respect to public companies\u2019 disclosure and handling of cybersecurity risk and events. Further, if the SEC views cybersecurity controls as crucial for financial disclosures, as required by existing statutory regimes, <em>i.e.,<\/em> the Sarbanes-Oxley Act and the 1934 Act, then the SEC should be expected to view cybersecurity controls as critical for compliance with federal securities laws. With this new shift, the SEC soon may require individual directors and officers to certify their companies\u2019 compliance with cybersecurity controls, just as executive management for certain companies must do under New York\u2019s cybersecurity regulations.<a href=\"#_ftn3\" name=\"_ftnref3\">[3]<\/a> This requirement, in turn, may create a new breeding ground for shareholder class actions and derivative actions. As discussed below, the SEC\u2019s Report may be a vanguard of new and significant changes.<\/p>\n<p>&nbsp;<\/p>\n<h3>I. What are BECs?<\/h3>\n<p>BECs are a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the email\u2019s recipient into wiring money to them. A company employee (typically, a lower-level employee) will receive a false email ostensibly coming from a trusted source (a company executive or established vendor) instructing that a payment be wired to a specified bank account that the fraudster controls. Many times, these phishing emails have a time pressure component (i.e., \u201cI will need the payment wired ASAP\u201d), an impatient tone (\u201cThis is the third time we\u2019ve made this request\u201d), or involve a matter of \u201ccritical nature\u201d (\u201cThis is vital to the company\u2019s new strategic initiative\u201d) in order to intimidate the recipient and inhibit him or her from questioning the request. In every successful BEC attack, the wiring instructions are followed, and payment(s) is\/are sent. Once the money is wired, the funds are withdrawn by the fraudster, and the money is irretrievable.<\/p>\n<p>&nbsp;<\/p>\n<p>BECs represent a significant risk to U.S. companies and to the economy as a whole. In a recent report, the Federal Bureau of Investigation estimated that BECs have caused over $5 billion in losses since 2013.<a href=\"#_ftn4\" name=\"_ftnref4\">[4]<\/a> The same report concludes that the loss totals for 2017 alone, approximately $675 million, represented the highest estimated out-of-pocket loss from any class of cyber-facilitated crime that year.<a href=\"#_ftn5\" name=\"_ftnref5\">[5]<\/a> What makes BECs so dangerous is their simplicity. Although false emails ostensibly coming from vendors can be a sophisticated endeavor because they may involve a successful intrusion into the vendors\u2019 network and system, generally, BECs do not involve sophisticated frauds schemes or technology.<a href=\"#_ftn6\" name=\"_ftnref6\">[6]<\/a> Instead, they prey upon distraction, intimidation, and imitation \u2013 all weaknesses in human nature. Compounding the damage caused by BECs is the uncertainty of insurance coverage. Courts have struggled to understand the technology at issue and in turn have issued conflicting decisions.<a href=\"#_ftn7\" name=\"_ftnref7\">[7]<\/a><\/p>\n<p>&nbsp;<\/p>\n<h3>II. Implementing Internal Controls<\/h3>\n<p>The SEC long has recognized the significance of cyberattacks. It now has zeroed in on BECs. According to the SEC, the threat posed by BECs \u201cunderscore[s] the importance of devising and maintaining a system of internal accounting controls,\u201d including training, to \u201cprotect assets in compliance with the federal securities laws.\u201d<a href=\"#_ftn8\" name=\"_ftnref8\">[8]<\/a> Recognizing that BECs and other phishing attacks represent \u201can ever-increasing part of the cybersecurity threats faced by a wide variety of businesses,\u201d the SEC now states that \u201cpublic companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.\u201d<a href=\"#_ftn9\" name=\"_ftnref9\">[9]<\/a> Sections 13(b)(2)(B) (i) and (iii) state:<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 180px;\">(2) Every issuer which has a class of securities registered pursuant to section 12 of this title [15 U.S.C. \u00a7 781] and every issuer which is required to file reports pursuant to section 15(d) of this title [15 U.S.C. \u00a7 780(d)] shall \u2013<\/p>\n<p style=\"text-align: center; padding-left: 180px;\">* * *<\/p>\n<p style=\"padding-left: 180px;\">(B)\u00a0 devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that&#8211;<\/p>\n<p style=\"padding-left: 180px;\">(i)\u00a0 transactions are executed in accordance with management\u2019s general or specific authorization;<\/p>\n<p style=\"text-align: center; padding-left: 180px;\">* * *<\/p>\n<p style=\"padding-left: 180px;\">(iii)\u00a0 access to assets is permitted only in accordance with management&#8217;s general or specific authorization[.]<a href=\"#_ftn10\" name=\"_ftnref10\">[10]\u00a0<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>The Report concludes that these provisions <em>now<\/em> require public companies (governed by Sections 12 and 15(d)) to undertake affirmative steps through the implementation of cybersecurity controls to mitigate the risks posed by BECs and similar phishing attacks. Critically, this interpretation of Sections 13(b)(2)(B) (i) and (iii) easily may be applied to any significant cyber risk or known variant of cyberattack. Because companies with appropriate technical and administrative data security procedures are in a far better position to detect and prevent a successful cyberattack, the SEC is using existing securities laws to ensure that companies take affirmative steps to implement such safeguards. In essence, the SEC is charting new waters.<\/p>\n<p>&nbsp;<\/p>\n<p>Moreover, the SEC\u2019s focus on the human factor in cybersecurity risks should not be underestimated. For example, the SEC notes that \u201cthere were numerous examples where the recipients of the fraudulent communications asked no questions about the nature of the supposed transactions, even where such transactions were clearly outside of the recipient employee\u2019s domain.\u201d<a href=\"#_ftn11\" name=\"_ftnref11\">[11]<\/a> The Report further notes that \u201c[h]aving internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets,\u201d and observes that \u201c[s]ystems of internal accounting controls, by their nature, depend also on the personnel that implement, maintain, and follow them.\u201d<a href=\"#_ftn12\" name=\"_ftnref12\">[12]<\/a> This focus suggests that while an SEC investigation may center upon technical and administrative aspects of any public company\u2019s cybersecurity program, the agency also would investigate steps undertaken by the company to ensure effective implementation, including training. Simply, it is not enough to have a written security program in place. The program\u2019s implementation must be effective.<\/p>\n<p>&nbsp;<\/p>\n<p>To be clear, the Report does not endorse a one-size-fits-all approach. In the Report, the SEC states that companies \u201csubject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.\u201d<a href=\"#_ftn13\" name=\"_ftnref13\">[13]<\/a> The Report also emphasizes that every public company that is a victim of a BEC is not necessarily in violation of federal securities laws. Instead, companies should ensure that they have reasonable measures in place and confirm that those measures have been implemented effectively. Companies \u201cshould evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems,\u201d and be mindful whether internal controls already in place \u201care sufficient to provide reasonable assurances in safeguarding their assets from these risks.\u201d<a href=\"#_ftn14\" name=\"_ftnref14\">[14]<\/a> Those companies that do nothing, or fail to ensure that existing security controls address current risks and are implemented, may face an SEC enforcement action in addition to any loss suffered from a phishing attack. The Report is a clear example of how regulators are looking to existing laws to address ever-evolving cyber risks.<\/p>\n<p>&nbsp;<\/p>\n<h3>III. Forecasting Changes in Cybersecurity Enforcement<\/h3>\n<p>The SEC\u2019s February 21, 2018 cybersecurity guidance for public companies emphasizes, among other things, that companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to accurately and timely disclose cybersecurity risks and incidents.<a href=\"#_ftn15\" name=\"_ftnref15\">[15]<\/a> Companies are also required to assess whether they have sufficient disclosure controls and procedures to ensure that relevant information about cybersecurity risks and incidents is processed and reported. Thus, the SEC\u2019s most recent Report should not come as a great surprise. Yet, the Report may forecast significant changes.<\/p>\n<p>&nbsp;<\/p>\n<p>The purpose of having strong disclosure controls is to assist companies in satisfying stringent disclosure obligations under the federal securities laws, including personal certification of disclosure executed by senior management under Sarbanes-Oxley. Further, the Report clearly signals that the SEC will place the responsibility of having adequate cybersecurity controls on management, an approach that already exists for internal controls over financial reporting under Section 404 of Sarbanes-Oxley. Thus, a pattern is emerging that suggests the SEC will replicate Sarbanes-Oxley requirements for cybersecurity controls. In other words, cybersecurity controls are not a component of risk management, they are an integral part of internal accounting controls themselves. If this is the case, the SEC may soon require executed certifications by individual directors and officers regarding cybersecurity controls, an approach that would place new obligations and pressure on senior management. The approach also would open new avenues for shareholder class action and derivative lawsuits. Such new liability, in turn, likely would lead to an increase in claims and costs, ultimately to be borne by D&amp;O insurers, cybersecurity insurers, and their insureds.<\/p>\n<p>&nbsp;<\/p>\n<p>The SEC\u2019s October 16, 2018 Report should be viewed as a guidepost along a path that the SEC is charting for cybersecurity enforcement. The February 21, 2018 guidance required disclosure of risks; by requiring implementation of cybersecurity controls, the Report has now taken the next critical step. The Report may be a preview of the type of cybersecurity control enforcement actions that the SEC may pursue in the future. Public companies, and D&amp;O and cybersecurity insurers should take notice.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"display: inline !important; float: none; background-color: transparent; color: #000000; font-family: 'Open Sans',Arial,sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">______________________________<\/span><\/p>\n<p><a href=\"https:\/\/www.whiteandwilliams.com\/lawyers-JoshuaMooney.html\" target=\"_blank\" rel=\"noopener\">Joshua Mooney<\/a> is a partner of White and Williams LLP in Philadelphia, and is Co-Chair of the firm\u2019s Cyber Law and Data Protection group.<\/p>\n<p><a href=\"https:\/\/www.whiteandwilliams.com\/lawyers-AndrewLipton.html\" target=\"_blank\" rel=\"noopener\">Andrew Lipton<\/a> is an associate at White and Williams LLP, New York office, and is a member of the firm\u2019s Cyber and Directors &amp; Officers group.<\/p>\n<p>______________________<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> \u00a0 The full name of the SEC Investigative Report is Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Release No. 84429 (October 16, 2018), available at <a href=\"https:\/\/www.sec.gov\/litigation\/investreport\/34-84429.pdf\">https:\/\/www.sec.gov\/litigation\/investreport\/34-84429.pdf<\/a>.<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\">[2]<\/a> <em>See <\/em>15 U.S.C. \u00a7 78m(b)(2)(B)(i) and (iii).<\/p>\n<p><a href=\"#_ftnref3\" name=\"_ftn3\">[3]<\/a> 23 NYCRR Part 500.17.b.<\/p>\n<p><a href=\"#_ftnref4\" name=\"_ftn4\">[4]<\/a>\u00a0 S<em>ee <\/em>FBI, 2017 Internet Crime Report at 12, 21 (May 7, 2018) available at <a href=\"https:\/\/pdf.ic3.gov\/2017_IC3Report.pdf\"><em>https:\/\/pdf.ic3.gov\/2017_IC3Report.pdf<\/em><\/a><em>. <\/em><\/p>\n<p><a href=\"#_ftnref5\" name=\"_ftn5\">[5]<\/a>\u00a0 <em>Id.<\/em><\/p>\n<p><a href=\"#_ftnref6\" name=\"_ftn6\">[6]<\/a> \u00a0 Report at 4. The Report on nine BECs involving a collective loss of approximately $100 million. Two of the nine companies lost in excess of $30 million. <em>Id.<\/em> at 3.<\/p>\n<p><a href=\"#_ftnref7\" name=\"_ftn7\">[7]<\/a> <em>Compare<\/em> <em>Medidata Solutions, Inc. v. Federal Ins. Co.<\/em>, 2018 U.S. App. LEXIS 18376 (2d Cir. July 6, 2018), and <em>American Tooling Ctr., Inc. v. Travelers Cas. &amp; Sur. Co. of Am.<\/em>, 2018 U.S. App. LEXIS 19208 (6<sup>th<\/sup> Cir. July 13, 2018) <em>with <\/em><em>Apache Corp. v. Great Amer. Ins. Co.<\/em>, 662 Fed App\u2019x 252 (5<sup>th<\/sup> Cir. 2016) and <em>Aqua Star (USA) Corp. v. Travelers Cas. &amp; Sur. Co. of Am.<\/em>, 719 Fed App\u2019x 701 (9<sup>th<\/sup> Cir. 2018); <em>see also <\/em>J. Mooney,<em> Medidata &amp; American Tooling Misunderstood Tech<\/em>, Law360 (Sept. 24, 20108), available at <a href=\"http:\/\/www.law360.com\/\">www.law360.com<\/a>.<\/p>\n<p><a href=\"#_ftnref8\" name=\"_ftn8\">[8]<\/a>\u00a0 Report at 5.<\/p>\n<p><a href=\"#_ftnref9\" name=\"_ftn9\">[9]<\/a>\u00a0 <em>Id.<\/em><\/p>\n<p><a href=\"#_ftnref10\" name=\"_ftn10\">[10]<\/a>\u00a0 15 U.S.C. \u00a7 78m(b)(2)(B)(i) and (iii).<\/p>\n<p><a href=\"#_ftnref11\" name=\"_ftn11\">[11]<\/a> Report at 6.<\/p>\n<p><a href=\"#_ftnref12\" name=\"_ftn12\">[12]<\/a>\u00a0 <em>Id. <\/em><\/p>\n<p><a href=\"#_ftnref13\" name=\"_ftn13\">[13]<\/a>\u00a0 <em>Id.<\/em><\/p>\n<p><a href=\"#_ftnref14\" name=\"_ftn14\">[14]<\/a> Report at 7.<\/p>\n<p><a href=\"#_ftnref15\" name=\"_ftn15\">[15]<\/a> R. Borden, A. Kane, K. Woods, \u201cSEC Updated Guidance on Cyber Disclosure\u201d (Feb. 22, 2018) available at <a href=\"https:\/\/cyber.whiteandwilliams.com\/2018\/02\/sec-updated-guidance-on-cyber-disclosure-by-publicly-traded-companies-in-a-digitally-connected-world\/\">https:\/\/cyber.whiteandwilliams.com\/2018\/02\/sec-updated-guidance-on-cyber-disclosure-by-publicly-traded-companies-in-a-digitally-connected-world\/<\/a><u>. <\/u><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Joshua Mooney and Andrew Lipton, White and Williams LLP &nbsp; On October 16, 2018, the Securities and Exchange Commission\u2019s (SEC) Division of Enforcement issued a report on Cyber-Related Frauds Against Public Companies and Related Internal Accounting Controls Requirements (the Report)[1] warning that a public company\u2019s failure to implement adequate cybersecurity controls to address the <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2018\/10\/29\/trick-or-treat-does-the-secs-october-report-signal-a-new-shift-in-cybersecurity-enforcement\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,7],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/173"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=173"}],"version-history":[{"count":2,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/173\/revisions"}],"predecessor-version":[{"id":175,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/173\/revisions\/175"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}