SEC Report on Internal Controls, Cybersecurity

By:  Tom Gorman

Cyber-security has become – or perhaps should be – a key area of concern for every enterprise. The risks are substantial for the firm, its shareholders, executives and customers as recent cases illustrate. Every enterprise large or small is a potential victim. The losses can and often are substantial not just in dollars but also in trust, customers and more. The Commission has issued guidance. The agency has also brought enforcement actions.

Now, however, the Commission has issued a report based on nine investigations of firms involved in a variety of industries, cautioning about cyber risks in the context of the firm’s obligations to maintain proper internal controls. Report of Investigation Pursuant to Section 21(a) of the Exchange Act Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies, October 16, 2018.

Report

The Report involved investigations of issuers in lines of business that ranged from technology, machinery, real estate and energy to financial and consumer goods. Each intrusion centered on the use of email. Each intrusion succeeded in part because of a human component – a lack of training, failure to understand controls or properly apply them. Collectively the companies lost millions of dollars.

The schemes were not sophisticated. The intruders generally employed one of two methods. The first centered on the use of emails from non-affiliates of the firm to company executives using spoofed email domains and addresses. Typically the email went to finance personnel who were directed to coordinate with outside counsel to complete a deal or transaction. The law firm and attorney names were real. Eventually the intruder would claim that there was a time-sensitive deal or that funds were required for a foreign transaction and request a transfer of funds. The emails in these cases often contained simple errors.

The second centered on impersonating an issuer’s vendors. This scheme usually began with identifying venders of the firm, penetrating their system and then forwarding emails to the company. The intruders would typically correspond with issuer personal responsible for procuring goods from vendors. They would be requested to initiate changes to the vendor’s banking information. The requests included fraudulent account information. As in the first variation, eventually funds would be wired. Overall the nine issuers involved here lost millions of dollars, most of which have not been recovered.

None of the issuers involved in the underlying investigations were charged. Rather, the investigations are being used to emphasize the fact that cyber-security “presents ongoing risks and threats to our capital markets and to companies operating in all industries. . .” Cyber security risks and management are thus crucial to every issuer. This is particularly true in view of their obligations under Exchange Act section 13(b)(2)(B).

The internal controls provisions of the Exchange Act require that the firm implement a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accord with management’s authorization and that access to assets is only permitted as authorized. Accordingly, when assessing the adequacy of internal controls, it is imperative to consider cyber-security risks. Those risks are well illustrated by the nine investigations here where the “frauds were not sophisticated. . . [and relied] on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” Having systems which factor in cyber-related threats and the related human vulnerabilities, is thus critical, the Report notes.

The Report concludes by noting that “the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of . . .” the securities laws. Rather, the lesson to be drawn from the Report and the underlying investigations is that “internal accounting controls may need to be reassessed in light of the emerging risks, including risks arising from cyber-related frauds.”

Comment

The report repeatedly cites to the history of the internal control provisions and earlier Commission guidance. Viewed in this context the report ties directly to the traditional view of the agency on internal controls. Indeed, that view is frequently seen in financial fraud cases and actions based on the Foreign Corrupt Practices Act.

The report does, however, reach beyond the traditional view of the Commission in this area. A key point of emphasis is the “human” element of controls. This is illustrated in the examples of conduct where there was an intrusion discussed in the Report. The schemes were not sophisticated. There were red flags. Yet the intrusion succeeded because those in charge were fooled, missed the red flags or were not well trained – the human element of internal controls.

While the Report does not develop the “human” element of internal controls in any real sense, the references are noteworthy if for no other reason than this point has traditionally not been emphasized. This human element is in many senses an implementation and training point – properly implementing internal controls requires training and the proper environment. As the examples in the Report illustrate, intrusions are often based on simple schemes. To thwart them, however, there must be proper controls, implemented in an appropriate environment through adequate training – the new element to SEC internal controls.

Extraterritorial Application of The GDPR

By:  Ron Moscona, Jamie Nafziger and Clint Conner

The EU General Data Protection Regulation (GDPR), which is billed as the most important development in data privacy regulation in at least 20 years, arrived with a bang in May of this year and companies have been scrambling to implement compliance measures that will avoid its stiff penalties.   Companies are still struggling to understand the GDPR’s implications and all of the ways it might affect their businesses.

UNCERTAINTY RELATING TO ENFORCEMENT OUTSIDE THE EU

Some of the uncertainty relates to how and to what extent the GDPR will be enforced outside the EU.  The GDPR requirements apply on a global scale.  The GDPR expressly applies to any organization outside the EU that processes personal data of individuals in the EU in connection with offering goods or services to such individuals or monitoring their behavior, see GDPR, Art. 3(2), and the GDPR requires such organizations to designate a representative within the EU, see GDPR, Art. 27, which is seemingly intended to facilitate enforcement against such organizations outside the EU.  But it is not entirely clear how its requirements will actually be enforced against entities outside the EU as a practical matter. Currently, there is no regulatory guidance regarding extraterritorial enforcement.

THE BREXIT DATA PRIVACY CASE PROVIDES SOME CLARITY

A recent development out of the UK highlights the extraterritorial enforcement issue.  In July, the Information Commissioner’s Office (ICO), which is the UK’s data protection regulator, issued its first ever GDPR “enforcement notice” against an entity located outside the UK.  That entity is AggregateIQ Data Services Ltd (“AIQ”), which is a Canadian company with no apparent presence in the EU and no designated EU representative.

AIQ was implicated in the ICO’s investigation into Cambridge Analytica’s use of EU citizens’ Facebook data for analytics for the Brexit political campaign.  AIQ disputed allegations that it is affiliated with Cambridge Analytica and refused to fully cooperate with the ICO’s investigation, taking the position that it is not subject to the ICO’s jurisdiction. Nonetheless, based on the evidence it was able to collect, the ICO found that AIQ violated the GDPR by, among other things, processing personal data of EU citizens in a way that the individuals were not aware of, for purposes which they would not have expected, and without a lawful basis.

The ICO’s GDRP enforcement notice ordered that AIQ stop processing “any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes” within 30 days of the notice date.  Failure to comply with such a notice could result in the ICO issuing a fine of up to 20 million euros or 4% of the company’s annual worldwide revenue, whichever is greater.

AIQ appealed the enforcement notice to the first-level tribunal arguing that the ICO did not have jurisdiction over the company, the GDPR did not apply because the alleged conduct had taken place before the GDPR was in force, and the notice was too broad.  The ICO thereafter issued an amended enforcement notice that, according to the ICO, clarifies the steps AIQ must take in order to comply with the notice.  The ICO’s amended notice orders AIQ to delete any UK personal data on AIQ’s servers that the company had told the ICO it held in May 2018.

AIQ has since withdrawn its appeal and indicated it will comply with the amended enforcement notice.

It is important to note that Canada’s Office of the Privacy Commissioner and British Columbia’s Information and Privacy Commission (“BCIP”) had been working in close cooperation with the ICO in the investigation of AIQsince late 2017.  Canada has its own privacy laws applicable to AIQ’s alleged conduct – Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which will come into effect on November 1, 2018, and the Personal Information Protection Act (PIPA) applicable in certain provinces.

TAKEAWAYS

This suggests that Canadian authorities might be willing to assist with GDPR enforcement against Canadian companies, at least in high-profile cases that impact Canadians (even if indirect).  The Canadian government’s willingness to do so likely relates to the fact that Canada has its own privacy laws similar to GDPR that it must enforce and to the close historical ties between Canada and the UK.   This case also suggests that a non-EU company would likely comply with a GDPR enforcement notice in cases where that company’s government assists the EU’s investigation.

However, there are still many outstanding questions regarding extraterritorial enforcement of the GDPR.  This case provides little insight regarding the extent to which other non-EU countries would assist with executing a GDPR investigation or enforcement notice against one of their own companies, and does not forecast what a non-EU company served with a GDPR enforcement notice would do in situations where local authorities do not get involved.

Presumably, non-EU companies with significant assets in the EU that the EU government is able to seize, or having business interests in the EU that they wish to pursue, would feel compelled to satisfy GDPR enforcement notices in order to avoid the stiff GDPR penalties or repercussions in terms of their freedom to conduct business.  But what about other companies located in countries that, unlike Canada, would not get involved in a GDPR investigation or enforcement?  So far, the international community has not developed a system for cross-border enforcement of privacy rights.  It is unlikely that such a system will be put in place at least until a reasonable level of harmonization is achieved in the approach to data protection adopted across different jurisdictions.  As long as countries continue to take very different approaches to data protection and privacy, it is likely that the existing international arrangements for the mutual recognition and enforcement of judgements will not be very effective in relation to enforcement orders and penalties imposed by national authorities for the infringement of such rights.

For the same reasons, it remains unclear how GDPR enforcement would play out in the United States.  The U.S. currently has no federal law similar to the GDPR.  The Trump administration is discussing a U.S. version of the GDPR that would have provisions similar to provisions in the GDPR, but the passage of such a law is not imminent.  To the extent the U.S. enacts such a law, the U.S. might be incentivized to assist with GDPR investigations or enforcement against U.S. entities at least to the extent consistent with the terms of the U.S. law for purposes of encouraging reciprocal comity with the EU.   However, given the Trump administration’s foreign policy stance, it is highly unlikely that the U.S. would assist in enforcing violations of any GDPR provisions that go beyond the U.S. law.

In June, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is similar in some respects to the GDPR, with unanimous California Senate and Assembly approval.  It remains to be seen whether the California Attorney General’s office would assist with a GDPR investigation of a California company to encourage reciprocal comity with the EU in connection with enforcement of their respective data privacy laws.