The passage of the Sarbanes-Oxley Act of 2002 (SOX) was a direct response to the staggering fraud scandals at WorldCom and Enron. In these high-profile cases, opaque accounting practices allowed dishonest insiders to defraud investors of vast amounts of money. SOX sought more accurate and transparent internal controls and financial reporting.
Fueled by public anger, the bill very quickly came together and passed into law.
While upfront compliance costs were high, the added scrutiny and transparency has largely proven beneficial for both companies and their investors.
However, even full compliance with SOX does not afford companies complete protection against fraud. While the law primarily addresses insider fraud, it mandates far fewer protections against fraud perpetrated by external actors.
That’s a critical gap, especially amid mounting cyber-fraud. Hackers wield powerful and increasingly sophisticated tools and the savvy to identify and infiltrate where systems and processes are weakest, bypassing companies’ internal processes through social engineering schemes and IT attacks.
In February 2018, an updated interpretation of SOX explicitly inserted the need to address cyber concerns as part of broader financial reporting and controls. These guidelines were a step in the right direction, as was proven just a few months later. In October 2018, the SEC released a report detailing the emerging threat of email fraud and social engineering and describing how attacks at nine large companies led to nearly $100 million in losses.
The report enumerated the multiple lapses in security, yet concluded that not all victims of such scams were in violation of the regulations on internal controls. This is concerning, especially because the scale and degree of fraud in the report was extremely troubling. And not coincidentally, these were the exact types of external fraud SOX compliance does not do enough to address.
Both categories of fraud detailed in the report involved leveraging communication channels to carry out a social engineering scheme. The first category included the use of emails from fake executives to direct midlevel financial personnel to carry out large transfers of funds to foreign bank accounts. The second category included the use of emails from fake vendors and the hijacking of legitimate transaction requests to insert and redirect funds to accounts controlled by hackers.
These schemes show that it’s remarkably easy for dedicated actors – both inside and outside an organization – to subvert SOX-mandated business processes and ERP software. In fact, in many of the cases, companies missed the fraud altogether. It was only months later, when a third party noticed discrepancies, that the true extent of losses came to light.
Given the regulatory gaps, becoming attuned to these types of threats is vital.
What to Watch For
Companies today have three main attack vectors to watch out for:
- Social engineering attacks (like those discussed in the SEC report) circumvent many internal controls because attackers simply bypass them. By presenting (and manipulating) an employee or vendor under the guise of a certain degree of authorization, any subsequent request comes off as completely legitimate. Such a request would even comply with SOX’s strict segregation of duties and controls. The tactics used to compromise or invent a vendor’s identity are increasingly beyond the detection abilities of the business processes enforced by current regulations.
- Internal processes are also vulnerable to compromise via interference with a company’s IT systems. IT systems are the sophisticated technical infrastructure that actually enforce the rules that govern a company’s internal controls. If hackers can infiltrate and manipulate these systems, they can completely bypass the internal controls. An example of this would be changing account details and then covering your tracks by deleting any references to those changes: when the IT system verifies a payment order tampered with in this way, it appears legitimate and is automatically let through.
- External malware attacks also target a company’s technical systems but opt to infiltrate via manipulation of outside elements. In other words, instead of trying to pick the lock, these attacks aim to break in by stealing the keys. For example, email-based processes can be compromised by using phishing attacks to hijack a critical email address. By stealing outside credentials, hackers can gain a foothold in a company’s internal control systems. Combine this with emerging deep-fake voice and telephone schemes, and such attacks could even penetrate security measures as advanced as dual-factor authentication.
Each of these attack vectors exploits internal control systems not attuned to the rapidly evolving reality of cyber-fraud. The reason such threats have proliferated is that bad actors recognize the implicit trust built into company’s internal control systems. What’s worse is that the complex, multi-step processes of control systems today entail multiple weak points for fraudsters to exploit.
To combat fraud, SOX compliance alone is no longer enough. Achieving full protection will require companies to implement internal control systems designed with emerging cyber threats in mind. Processes must be streamlined, data protected and authentication must be continuous and automated. Even if not explicitly required by law, companies would be wise to start aspiring to these standards today. Current regulations don’t yet fully reflect the scope and severity of the threat of cyber-fraud, so aiming only for compliance can create a false sense of security. While meeting regulatory requirements is a must, the ultimate aim should always be to safeguard company revenues, assets and reputation—and fortifying financial controls is a natural and impactful place to start. To that end, nsKnox has developed a robust external solution that is not only SOX-compliant but provides the additional protective layer modern enterprise needs to effectively combat cyber-fraud.