The Massachusetts Clean Energy Center Did Not Prevent or Properly Report the Theft of $93,679 in Public Funds.

The Massachusetts Clean Energy Center (MassCEC) did not have effective internal controls (i.e., policies and procedures) in place for the wire transfer of agency funds. As a result, a cyberscammer was able to get a MassCEC official to transfer $93,679 in public funds to an account the scammer controlled. Most of these funds were not recovered, so the agency was unable to use them to further its mission of promoting clean energy technology, projects, and companies.

Further, MassCEC management did not inform the agency’s board of directors of this theft in a timely manner. Specifically, although the theft occurred on January 9, 2017 and was detected by MassCEC on February 3, 2017, MassCEC management did not inform its board of the theft until September 15, 2017. As a result, the board could not provide timely guidance regarding any measures that should be taken to address the problem and prevent this from happening in the future.

In addition, although MassCEC verbally contacted the Commonwealth’s Office of the Attorney General and the Boston Police Department about this matter, it never formally filed a criminal complaint concerning the theft. Although MassCEC eventually recovered $25,261 of the stolen funds from the bank where they had been deposited, if the agency had officially requested the assistance of law enforcement, it might have been able to prosecute the perpetrator and recover additional funds.

The most widely used framework for internal controls in the United States was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and represents best practices that should be used by organizations such as MassCEC in their development of effective internal control systems. The COSO document Internal Control—Integrated Framework adopted the concept of enterprise risk management, a key element of which is an organization’s identification and assessment of the risks inherent to its operations that could prevent the accomplishment of its mission and goals and the controls in effect to mitigate those risks.

COSO specifically refers to cyber-risks and methods to prevent and detect fraud in its 2015 report COSO in the Cyber Age:

When a company manages cyber risk through a COSO lens, it enables the board of directors and senior executives to better communicate their business objectives, their definition of critical information systems, and related risk tolerance levels. This enables others within the organization, including [information technology, or IT] personnel, to perform a detailed cyber risk analysis by evaluating the information systems that are most likely to be targeted by attackers, the likely attack methods, and the points of intended exploitation. In turn, appropriate control activities can be put in place to address such risks. . . .

Because cyber risk exposure can come from many entry points, both internal and external to the organization, preventive and detective controls should be deployed to mitigate cyber risks. . . .

Effective communication between the board of directors and management, including senior executives and operational management, is critical for the board to exercise its internal control oversight responsibilities.

In addition, the federal Department of Homeland Security (DHS) provides guidance on reporting cybercrimes and suggests reporting such incidents to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center. In its bulletin Cyber Incident Reporting, published September 22, 2016, DHS advises victims to “report cybercrime, including computer intrusions or attacks, fraud, intellectual property theft, identity theft, theft of trade secrets, criminal hacking, terrorist activity, espionage, sabotage, or other foreign intelligence activity to the FBI Field Office Cyber Task Forces.”

Although MassCEC management did perform a risk assessment of its business activities to identify any potential risks, it did not consider cyberthreats as part of that overall assessment. Conducting a risk assessment regarding cyberthreats would have allowed MassCEC to identify the need to develop effective internal controls (i.e., policies and procedures) to mitigate risks in this area and prevent the improper transaction from occurring.

MassCEC did not have written policies and procedures in place to promptly notify the board of directors of incidents or actions such as thefts or breaches of information security controls within a specific timeframe. Furthermore, MassCEC management said that they were unaware of the guidelines promulgated by DHS regarding reporting cybercrimes to the FBI’s Internet Crime Complaint Center.

According to MassCEC management, they believed they had fulfilled their obligations to report the theft by verbally contacting the Massachusetts Office of the Attorney General and the Boston Police Department.

1. MassCEC should conduct risk assessments and develop written policies and procedures to manage all risks to its operations, including its exposure to cybercrime, and immediately inform its board of directors of any incidents, including security breaches perpetrated against the organization.
2. MassCEC should consider adopting elements of the COSO model in developing control activities to prevent, detect, and mitigate cyber-risks.

MassCEC takes the stewardship of public funds very seriously. Upon discovering the fraudulent activity, management immediately contacted its bank and successfully recovered $25,261, or 27% of the funds. In February 2017 when the event was identified, management conducted an immediate review and enhancement of internal controls. Additional layers of IT security and enhanced internal controls around wire transfers were implemented quickly to prevent and detect fraud from occurring in the future. Examples of these additional internal controls include requiring employees take an IT security training course annually, additional verification steps for vendor banking information for wire transfers, and the installation of software that blocks known fraudulent websites.

MassCEC has in place a risk assessment that identifies potential risks to the organization and internal controls and procedures to mitigate those risks, which is periodically reviewed and updated. Management will enhance this risk assessment to include cyber security. MassCEC management will continue to monitor the ongoing trends and constantly changing cyber threat environment and will further enhance our internal controls and procedures as appropriate to mitigate the risks of future events. As recommended by the auditor, MassCEC will consider adopting elements of the COSO model, including incorporating the general framework into our existing risk assessment model and in developing control activities to prevent, detect and mitigate risk.

With respect to the issue of reporting, we are committed to taking more timely action to notify the members of our Board of Directors, should similar incidents occur in the future. However, we wish to clarify that, in response to the incident at issue, MassCEC did notify the Chair of the Audit Committee and the office of our Board Chair in July 2017, prior to the full Board notification in September 2017.

MassCEC has also enhanced our existing policies and procedures to require timely reporting of all thefts of funds or property to relevant authorities and our Board of Directors. The enhanced policy requires management to immediately inform the Chief Executive Officer upon discovery of a fraudulent event or theft, and the Chief Executive Officer and/or Chief Financial Officer to inform the Board of Directors and relevant authorities in a timely manner. For cybercrime events, the policy requires management to report the incident to the Federal Bureau of Investigation’s Internet Crime Complaint Center.