Britt Latham, Bass, Berry & Sims.SEC Warns Companies on Spoof Emails: Q&A With Bass, Berry & Sims Litigator
"I think the SEC is inching closer to the point where they're going to take action on companies that don't have adequate safeguards."
October 26, 2018 at 12:54 PM
4 minute read
The U.S. Securities and Exchange Commission released an investigative report earlier this month detailing how spoof emails at nine publicly traded companies caused them to lose approximately $100 million in total.
The method of attack was similar for each company: Perpetrators sent emails to employees of the unnamed companies purporting to be executives seeking a wire transfer, or a vendor looking for any unpaid invoices.
More recently, Voya Financial Advisors Inc. last month agreed to pay $1 million to settle charges with the SEC in connection with an April 2016 cyber-intrusion that compromised more than 5,600 customers' personal information under a formerly unused statute; and in April the SEC took its first enforcement action for failure to disclose a data breach against the company formerly known as Yahoo, which paid a $35 million penalty for the massive breach.
Corporate Counsel spoke with Britt Latham, chair of the securities litigation practice group at Bass, Berry & Sims in Nashville, about the investigative report and what it means for companies going forward. Latham said that though the SEC chose not to bring enforcement actions against the affected companies, the SEC report shows that the commission is scrutinizing these types of fake email incidents and sending a message to publicly traded companies that complying with federal securities laws requires them to identify and address such cybersecurity risks. In February, the SEC issued guidance on the subject.
Here are excerpts from that conversation, edited for brevity and clarity.
Corporate Counsel: Just to begin, what is an email spoofing attack?
Britt Latham: It's sometimes what the SEC calls a business email compromise. It's someone pretending to be someone that they're not, in simple terms. This SEC investigative report that came out on Oct. 16, the SEC was looking at nine public companies that were the victims of cyber-related fraud. In each of those, the company was the victim of an email from a fake executive or an email from a fake vendor which requested a wire transfer for payment of monies either from the executive or owed to the vendor.
Are these sophisticated attacks that are difficult to detect?
They'll [the hackers] will get the information from the executive and will send it. Sometimes it's one letter or one number off and will send it to someone in the company. It's interesting, the ones from the executives the SEC designated as “not sophisticated” because they were just an email from the purported executive to the chief financial officer or some employee asking to wire money. They acknowledged that the ones from the vendors were a little more sophisticated because they involved some hacking to get certain information and had invoices that looked real. They're using real law firms' names and the real names of accountants. They're putting decent bait in the water, if you will.
What are some ways to prevent these kinds of attacks?
I do think training is a big part of that. All companies need to learn as more of these are reported. That's a big part of the why the SEC issued the report. They want companies to read this, understand these schemes, be reminded to address the risk of internal controls and in some sense remind the companies that the failure to have the internal controls may violate the federal securities law.
In addition to training to help identify these things, I'm not sure beyond additional internal controls. If you take these nine instances, you need to make sure you have policies and procedures where you have two-person approval on large invoices over a certain amount, and then abide by those polices.
The SEC chose not to impose any civil penalties in these instances. Why do you think that is?
The SEC has been reluctant to pile on and seek action against companies that have been victimized. But on the other hand, they have an obligation to protect shareholders. I think companies will see this report as a warning that they've got an obligation to do all they can do to prevent the intruders from coming into the house, and if they don't lock the doors and windows properly, they can be punished for that.
I think the SEC is inching closer to the point where they're going to take action on companies that don't have adequate safeguards. If you look at instances where confidential information of customers or third parties has been involved, the SEC is much more likely to pursue an enforcement action.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
From Olympic Aspirations to Legal Innovation: Tom Dunlop's Journey to Founding Summize
8 minute read
'Am I Spending Time in the Right Place?' SPX Technologies CLO Cherée Johnson on Living and Leading With Intent
9 minute read
Mary O'Carroll on Her Move to Goodwin: Law Firms Are at the Heart of Industry Disruption
How I Made General Counsel: 'Keep Betting on Yourself Against the Odds,' Says Maryam Abdul-Kareem of Arcellx
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
