Business email compromises continue to rise

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

...and the regulators are taking notice and putting emphasis on internal accounting controls

On October 16, 2018, the Securities and Exchange Commission (SEC) issued an investigative report on the increasing threat around business email compromises (BEC) and the failure of sufficient internal accounting controls to mitigate this risk. Such risks have rendered organizations increasingly susceptible to cyber-related fraud. Specifically, the report focuses on nine companies that fell victim to cyber-related frauds through a series of BEC incidents involving spoofed electronic communications from persons masquerading as company executives or vendors.  The nine organizations investigated by the SEC suffered a collective loss of approximately $100 million, the majority of which was never recovered.

Background on SEC Investigative Report

The report sheds light on the fact that the attacks occurred despite the presence of preventative and detection-oriented internal accounting controls. In light of the new report, as well as the issuance of similar interpretive guidance from earlier this year by the Commission, as well as a focus on the topic by other regulators -- including Financial Crimes Enforcement Network (FinCEN) and the New York State Department of Financial Services -- companies should evaluate the end-to-end fraud prevention and detection processes and cybersecurity of their payment activities. Specifically, organizations should reassess their current control environment to reflect emerging risks arising from cyber-related fraud and incorporate new controls, if necessary, to detect and prevent such incidents.

How the findings of the SEC report are significant and why organizations are susceptible to similar risks

Although the SEC has chosen not to pursue enforcement action against these nine organizations, we believe regulators will continue to focus on, and at some point may take enforcement action against companies that fail to maintain an effective system of internal accounting controls. In light of this, companies should now consider the various impacts of cyber-related attacks, including, but not limited to:

  • Significant fines which could be levied against a company if it is determined to have violated US laws or other regulatory requirements;
  • Financial impacts stemming from lawsuits or legal fees;
  • Remediation costs to resolve the incident, and;
  • Reputational risk that could arise if such an incident is publicized.

Contact us

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Amandeep Lamba

Principal, Cybersecurity and Privacy, PwC US

Michael Corey

Partner, Cybersecurity Privacy & Forensics, PwC US

Gerasimos J. Stellatos

Principal, Cybersecurity and Privacy, PwC US

Follow us