CLIENT ALERT: SEC Warns of Potential Violations from Cyber Risks
The United States Securities and Exchange Commission (the “SEC”) recently released a report following an investigation of certain publicly traded issuers that should be a clarion call to any issuer subject to the reporting obligations of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). Specifically, the SEC investigated cyber-crime-related losses caused by email “spoofing” and hacked vendor email accounts, which resulted in nearly $100 million in losses to the nine issuers that were the subject of the investigation. Overall, the SEC noted that this type of fraud had resulted in “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017” alone.
The SEC’s report warns issuers of the danger of potential federal securities laws violations that can compound problems for a company that already has been defrauded. Section 13(b)(2)(B) of the Exchange Act requires, among other things, that issuers “devise and maintain a system of internal accounting controls” that will “provide reasonable assurances” that “transactions are executed in accordance with management’s general or specific authorization” and that “access to assets is permitted only in accordance with management’s general or specific authorization.” In particular, the SEC warns that businesses must “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” Not only is this a good business practice, it is a requirement under federal securities laws.
The SEC’s report focused on two types of cyber-crime frauds that companies are facing with increased frequency: emails from fraudsters posing as company executives and emails from fraudsters posing as vendors. With respect to purported company executive emails, the SEC noted that this type of scam is seldom sophisticated. Instead, the fraudster relies upon creating an impression that the payment is urgent or important and capitalizing on an employee’s desire to efficiently carry out instructions from a superior. Vendor email scams are often more sophisticated, with fraudulent emails often appearing legitimate because they come from the vendor’s own email account, which has been hacked. Regardless, whether an email account is “spoofed” or hacked, businesses need to adopt multi-stage protocols for processing and approving payments that protect against these types of scams that take advantage of the ubiquity of email in the modern business world.
Companies also should take this opportunity to review their insurance coverage program to determine whether they are protected from the financial impact of email fraud. Many traditional Crime Policies include potentially applicable coverages, such as “Computer Fraud” and “Funds Transfer Fraud.” On October 25, 2017, one of the authors wrote an article for the New York Law Journal discussing these types of coverages and the different approaches various courts use to determine causation and coverage under potentially applicable policy language. Due to recent decisions, an analysis of potential coverage has become even more complicated. Recently, the United States Court of Appeals for the Second Circuit affirmed a district court ruling that a policyholder was covered under more traditional Crime Policy language for a scam employing a spoofed email account and resulting in the wiring of millions of dollars to a fraudster. The insurer had taken the position, rejected by the court, that the computer fraud language in the policy only applied to direct hacking situations. Similarly, the Sixth Circuit recently reversed a district court ruling and held that more traditional Crime Policy language applied to cover a company that was defrauded by someone impersonating one of the company’s vendors over email. Although each case is decided upon the specific facts and policy language at issue, there is some tension between these decisions and earlier decisions from the Fifth and Ninth Circuits that deny coverage under analogous circumstances.
A number of insurers also have begun selling coverage for the risk of “social engineering.” “Social engineering” is insurance industry-speak for fraud conducted through email deceptions. Whether this insurance is right for your company depends on many factors, including whether it overlaps with your company’s existing crime coverages. As policy language differs from insurer to insurer, a company should conduct careful analysis of the specific terms and definitions in its policies to determine whether it has potential coverage gaps that need to be filled.
The full SEC report can be found here. Please contact the Olshan attorney with whom you regularly work or one of the attorneys below if you would like to discuss further or have questions. Olshan Frome Wolosky is a full-service law firm available to provide advice and analysis with respect to your company’s regulatory and risk management needs.
 The SEC released a Statement and Guidance on Public Company Cybersecurity Disclosures in February 2018, which can be viewed here. We summarized the SEC’s guidance on our Securities Law Blog here.