Effect of Cyber Fraud on Companies’ Internal Controls
There are a variety of ways in which perpetrators can attack companies and get access to sensitive and confidential information. One of the most common types of attacks is the spear phishing attack. A phishing attack is defined as the practice of sending emails that appear to be from a trusted source with the goal of gaining personal information or influencing users to do something. Spear phishing is a targeted form of phishing activity whereby attackers conduct research into their targets and create messages that are personal and relevant. A phishing attack is also classified as a type of social engineering attack. Social engineering relies heavily on human interaction and involves manipulating people into breaking normal security procedures and best practices for financial gain or in order to gain access to systems, networks or physical locations.
These fraudulent email attacks have become a prevalent method over the last few years for perpetrators to take money from companies. In many cases, public companies who are registered under the U.S. SEC are targets. In a report issued by the SEC, there were a total of nine cases analyzed in which fraudulent emails were sent to either executives or vendors asking for a transfer of funds. In some of these cases, the failure of the companies to prevent or detect the cyber-attack in a timely manner resulted in a material weakness in the companies’ internal controls. None of these companies were specifically called out. However, an analysis was performed by Audit Analytics which looked at nine cases where companies disclosed incidents of similar breaches. It was noted that six out the nine companies disclosed these incidents in their SEC filings. Out of these six companies, three disclosed that the breaches resulted in a material weakness in their internal controls. Audit Analytics took a closer look at these three companies – Ubiquiti Networks, RealPage and ConnectOne Bank.
Ubiquiti Networks is a technology company with headquarters in New York, NY which manufactures wireless data communication products for enterprise and wireless broadband providers. A series of fraudulent emails which started on May 19, 2015 were sent to the company’s former chief accounting officer claiming to be from the company’s CEO, Robert Pera. The chief accounting officer sent 14 transfers for a total of $46.7 million to various entities in different countries. The breach was not discovered until June 5, 2015. As a result of this breach, new controls were implemented in the cash distributions process and control deficiencies were fully remediated.
RealPage is a software company with headquarters in Richardson, TX which provides property management software solutions to companies in the multifamily, commercial, single-family, and vacation rental housing industries. The perpetrator gained access to the systems of a RealPage subsidiary in May 2018. A total amount of $8 million, which was to be paid to three vendors, was instead diverted to the perpetrator’s account. As a result of this breach, new controls were implemented such as multifactor authentication and employee training and control deficiencies were fully remediated.
ConnectOne Bank is based in Princeton, NJ and provides personal and business banking products and services. The perpetrator gained access to a business customer’s email account in November 2014 and a total of $1.5 million was diverted to the perpetrator’s account. As a result of this breach, new controls were implemented related to customer verification procedures as well as approval authorities and control deficiencies were fully remediated.
These case studies show how important it is to consider cybersecurity risks when evaluating companies’ internal controls. Companies should ensure that the internal controls in place are addressing these risks and, if not, should consider implementing new controls. These risks can be proactively addressed before they are exploited by performing a cyber risk assessment. A cyber risk assessment, as defined by the National Institute of Standards and Technology (NIST) guidelines, is used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals and other organizations resulting from the operation and use of information systems. Performing a cyber risk assessment can provide companies with the following benefits:
- Reduce long-term costs
- Provide a template for future assessments (as cyber risk assessments should be updated continuously)
- Provide organization with greater self-awareness
- Help avoid breaches and other security incidents
- Improve communication (as it requires input from various departments)
Auditors should also be looking out for specific weakness areas when performing an audit. For example, auditors should be inquiring and ensuring that there are controls around wire transfers such as the requirement to have redundant signatures, voice verifying the requestor of the wire and/or automatically flagging external emails. Taking a proactive approach to addressing cybersecurity risks will reduce the likelihood that a breach or security incident will occur that can ultimately lead to a material weakness in a company’s internal controls.
PRTS Intelligence Newsletter - Q1 2019