SEC Registrants with Poor Cyber Controls

On October 16, 2018, the SEC’s Division of Enforcement issued an investigative report regarding cyber-related fraud’s effect on public company internal controls. The report reviewed nine cases in which public companies’ electronic communications were used to perpetrate fraudulent payments.

All companies investigated were traded on major exchanges and the sectors included technology, machinery, real estate, energy, financial, and consumer goods. In each case, the attack caused significant monetary damages – ranging from $1 million to $30 million. In total, the payments resulted in nearly $100 million in losses. The SEC classified these cyber frauds into two groups: emails from fake executives and emails from fake vendors.

Emails from fake executives used addresses designed to closely replicate real executive email addresses to request transfers of funds. According to the report, the fake payment requests were typically sent to “midlevel personnel, who were not generally responsible or involved in the purported transactions (and who rarely communicated with the executives being spoofed)”. The requests were typically related to unusual foreign transactions, as all of the companies investigated had foreign operations.

Emails from fake vendors used real foreign vendor email accounts that were hacked to request payment for invoices to fraudulent accounts. In some cases, the companies only discovered the schemes after real vendors requested payments.

The objective of the SEC’s report is to shed light on how public companies may be in violation of securities laws, should they fall victim to this type of cyber fraud. More specifically, companies are required to maintain a system of effective internal controls over financial reporting to prevent, or at the very least detect timely, the types of cyber fraud discussed above.

The investigative report stopped short of recommending any enforcement action and did not name the companies that were investigated. Moreover, the report does not provide sufficient details to determine the identity of the companies.

Although we are unable to identify the companies, we were curious whether we can find similar cases. Using Audit Analytics’ cyber breaches dataset, we looked at recent examples and disclosures of companies that fell victims to the attacks
described in the report.

In total, we looked at nine companies that disclosed incidents of similar breaches. Six of these companies disclosed the breaches in filings furnished with the SEC, though only one made the disclosure in a current report (8-K). Of the six companies that disclosed their cyber breaches in SEC filings, just three disclosed that the breach rose to the level of a material weakness in the companies’ internal controls. These three companies are discussed below.

Ubiquiti [UBNT]: Emails from fake executives

In June 2015, Ubiquiti Networks was the victim of a breach in which a Hong Kong subsidiary transferred $46.7 million to an overseas account held by a third-party. The breach involved the targeting of the company’s finance department by individuals impersonating an employee.

As a result of the breach, Ubiquiti disclosed a material weakness in its internal controls in the following annual report. The company attributed the material weakness to “growth in the complexity of the business in fiscal year 2015 without commensurate growth in the capabilities of the financing and accounting organization contributed to this deficiency.”

Ubiquiti received an SEC comment letter regarding the cyber breach in October 2015.

Note 14 – Business Email Compromise Fraud Loss, page 80

2. Please explain to us, in detail, the facts and circumstances concerning the fraudulent transfer of funds
aggregating $46.7 million and why it is not necessary for you to correct previously filed financial statements. In
this regard, identify the period over which the transfers occurred and quantify the amounts transferred by
quarter. Also, explain to us the status of your investigation into this matter.”

In its partially redacted response, Ubiquiti disclosed that the initial fraudulent email was received on May 19, 2015. The company discovered the breach on June 5, 2015 and launched an internal investigation after being contacted by the FBI. The internal investigation found that 14 transfers, totaling $46.7 million, were made by the company’s Hong Kong subsidiary to “accounts of several entities in several jurisdictions (including Russia, Hong Kong, the People’s Republic of China, Hungary and Poland).” The transfers were made by the company’s former Chief Accounting Officer, Rohit Chakravarthy, in response to fraudulent emails purportedly from Robert Pera, the CEO of the company’s Hong Kong subsidiary, and Tom Evans, an attorney with Latham & Watkins.

In response to the deficient controls, Ubiquiti implemented new controls to remediate the material weakness, including the engagement of FTI Consulting, Inc., accepting the resignation of the company’s Chief Accounting Officer, and updating controls around cash distributions.

Ubiquiti disclosed that they had fully remediated control deficiencies related to the cyber breach in its 2017 annual report.

RealPage [RP]: Emails from fake vendors

In May 2018, RealPage was the victim of a breach in which a third-party was able to access the systems of a RealPage subsidiary. The unauthorized party was able to divert $8 million intended for the disbursement to three clients to a third-party account.

As a result of the breach, RealPage disclosed a material weakness in the company’s internal controls in the following quarterly report. RealPage attributed the material weakness to the cybersecurity incident the company had fallen victim to.

In response to the deficient controls, RealPage implemented new controls to remediate the material weakness, including multifactor authentication and employee training.

RealPage disclosed that they had remediated control deficiencies related to the cyber breach in its following quarterly report.

ConnectOne Bank [CNOB]: Emails from fake vendors

In November 2014, ConnectOne Bank discovered that a business customer had been the victim of a breach in which a third-party was able to access the customer’s email account and divert $1.5 million of funds to a third-party account.

ConnectOne disclosed a material weakness in the company’s internal controls in the following quarterly report. The company attributed the material weakness to insufficient safeguarding of assets.

In response to the deficient controls, ConnectOne implemented new controls to strengthen customer verification procedures and approval authorities.

ConnectOne disclosed that they had remediated control deficiencies related to the cyber breach in its following annual report.

While the Division of Enforcement did not pursue enforcement action on any of the companies the Commission reviewed, it warned that “internal accounting controls may need to be reassessed in light of emerging risks” and, in particular, “issuers should evaluate to what extent they should consider cyber-related threats.”

This article was first available on Bloomberg, Eikon, FactSet and to subscribers of our Accounting Quality and Insights. For subscription information, please contact us at info@auditanalytics.com or (508) 476- 7007.