Reuters just made me aware of a U.S. Securities and Exchange Commission report about a recent SEC investigation if nine companies that had been victims of CEO fraud had sufficient internal controls in place as required by law.
The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO Fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013.
In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one lost more than 45 million.
Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement: “We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”
Regulators and lawmakers are increasingly focused on the risks cyber criminals pose to companies and their customers following a series of high-profile incidents.
Not Just Public Companies
And it’s not just public companies that are required to have internal controls to protect against risks like this. There is a lot of recent case law that shows you need to have defenses against social engineering in place. Any organization needs to have what the courts view as “Reasonable Cybersecurity”.
Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email email@example.com to request a quote for Security Awareness Training and Phishing Testing for your organization.