Regulators are signaling they expect companies to raise their game in protecting the corporate jewels from online hackers, especially in schemes that are not exactly novel.
A recent investigative report issued by the Securities and Exchange Commission describes nine separate instances where companies lost millions to e-mail hackers. The cases involved fraudsters posing as company executives or third-party vendors providing instructions on wiring funds.
It represents a “good policy decision,” said SEC Chairman Jay Clayton at a recent Financial Executives International conference, that the SEC chose to report on the issues without pursuing enforcements. “These are instances where the public companies were defrauded,” he said. “They were the victims. Could their controls have been better? We think so.”
The SEC thought it was appropriate to use the instances to inform the marketplace rather than further punish companies, said Clayton, but he made it clear the Commission will continue to keep an eye on the problem going forward. “We expect people to improve their controls around this area,” he said.
That’s a fair approach, in the view of Mary Hoeltzel, vice president and global chief accounting officer for insurer Cigna. “Most firms who are conscientious are doing the best they can to protect the organization from those threats,” she said. “Just because someone got into your system it doesn’t necessarily mean you were negligent.”
The recent report followed guidance the SEC issued earlier in 2018 that highlighted disclosure requirements with respect to cyber-security issues as well as procedures and controls over risks and incidents. Together, they are intended to serve as “a reminder that good controls and procedures can safeguard assets in addition to promoting good disclosure,” said Wes Bricker, SEC chief accountant, also speaking at the conference.
They might also serve as a warning that the SEC could show less restraint in the future and start handing out enforcement actions when companies lose assets to cyber-attacks. “That’s certainly my impression,” said Jeffrey Ward, national managing partner at BDO USA. “They’re taking baby steps, if you will, to get everyone moving in the right direction.”
“It’s all too apparent that a failure at one node can cause a problem at another. We are going to have issues, and we are going to solve them more quickly if we understand the interdependence.”
Jay Clayton, Chairman, Securities and Exchange Commission
Notices and guidance give people time to “start closing the gap,” said Ward. Fines and penalties may well follow.
In its report, the SEC focused on two types of e-mail fraud that target companies, said Chetan Gavankar, a principal in the cyber-security practice at KPMG. One approach is to e-mail someone within a company with instructions that appear to come from a company executive to wire funds, usually urgently and discreetly. The second approach is to hack into a vendor system and use it to send what look like legitimate instructions from a vendor to send funds.
Many companies have contemplated and addressed the possibility of e-mail spoofs, sometimes called “phishing” attempts on the part of hackers, so the approaches to guard against such attacks are not necessarily new. Companies need to assess their environment and evaluate their weaknesses, then develop protocols or policies to guard against them.
Multifactor authentication is critical, says Vishal Chawla, principal at Grant Thornton and a national leader in risk advisory services. “Companies need to move away from single-factor authentication,” he said. “You need to do it.”
Companies also need to consider becoming more proactive, said Chawla, with more e-mail monitoring and the deployment of more advanced protections. “Third-party risk is a huge issue,” he said. “Having a much tighter relationship with third parties so if they have issues, they are reporting more quickly—that’s the shift we’re seeing in the marketplace.”
Clayton called it a matter of “understanding data interdependencies.” Individual companies are at risk, but so are the networks that connect companies, he said. “It’s all too apparent that a failure at one node can cause a problem at another,” he said. “We are going to have issues, and we are going to solve them more quickly if we understand the interdependence.”
Companies could take a few cues from the financial services sector, where entities are charged with protecting not just their own assets, but their customers’ as well. “Cyber-security is paramount to those organizations,” said Gavankar. “They’ve dedicated considerable resources to this.”
Financial services companies have adopted technology protocols to weed out suspicious e-mail, to verify e-mail is coming from the correct server, to verify e-mail integrity, to quarantine suspicious e-mail, and to block messages or distort their display, said Gavankar. For any company, though, the process begins with a solid risk assessment, he says.
“You have to perform cyber-risk assessments and understand your business and IT assets, third parties, and your key business processes,” said Gavankar. “You need to identify what risks exist and implement security controls.”
While not wanting to over-generalize, Gavankar said, users are often the weakest link, making training paramount. “You have to train people that this is out there and to be careful what you click, what you download, what you react to,” he said. “Sometimes people just forget the basics.”
Ward says companies would be wise to take up guidance issued by the American Institute of Certified Public Accountants on adopting a cyber-security risk management reporting framework. The guidance has helped some companies steer away from viewing cyber-risk as a problem for the IT department to address.
“It drives good discussion,” said Ward. “You think you have good controls in place, but how do you know? Are you doing real-time testing or security training awareness?”