It usually starts with a simple email. A CFO gets a message from the CEO—urgent, time-sensitive, and confidential. “Wire $1.2 million to this account to close the deal.” The CFO acts quickly. Hours later, the real CEO calls. There was no deal. The email was a fake. And the money is already gone.

This is Business Email Compromise (BEC), and it’s not just an IT issue. It’s a leadership issue.

According to the FBI’s most recent Internet Crime Report, BEC scams cost U.S. companies nearly $2.8 billion in 2024. That makes it the second-costliest form of cybercrime after investment fraud. While large enterprises are certainly targets, mid-market companies are often hit hardest. They’re big enough to be lucrative, but not always equipped to defend against increasingly sophisticated social engineering scams like BECs.

Here’s what CEOs and General Counsels need to understand—and act on—now.

BEC Is Not a Data Breach. It’s Worse.

Many executives assume that fraud and data breaches trigger the same legal response. But whether an incident is classified as a “breach” or a “fraud” drives everything that follows—and BECs often falls into a far riskier gray area. For CEOs and General Counsel, that creates a serious legal issue—one that determines disclosure obligations, recovery options, and who ultimately bears the loss.

Unlike ransomware or malware, BECs don’t generally exploit software vulnerabilities—they exploit people. Fraudsters pose as trusted executives or vendors and convince employees to transfer funds or share sensitive information. These scams are difficult to detect and even harder to unwind.

Because BEC incidents often fall outside traditional breach‑notification regimes, companies may assume they are insulated from legal or regulatory scrutiny. In reality, that assumption can be misplaced. As threats increasingly leverage automation and AI‑assisted social engineering, post‑incident inquiries tend to focus less on whether something went wrong—it’s whether leadership made deliberate, well‑documented decisions about known risk before it did.

The Legal Risk Is Real

Most executives assume that if their company is defrauded, someone else will be liable — the bank, the insurer, a negligent vendor. But courts have sometimes treated BEC losses as the company’s responsibility, particularly if internal controls weren’t followed.

The FBI stresses that timely reporting is critical, but, even then, recovering stolen funds is far from certain. And under U.S. commercial law, banks are generally only on the hook if they ignored clear red flags — like a mismatch between an account name and number.

Regulators Are Watching

Regulatory expectations have also evolved. The SEC’s 2023 cybersecurity disclosure rules require public companies to report significant BEC incidents within four business days and explain board oversight of cybersecurity risk. What might have started out as a financial issue can quickly turn into a governance and disclosure challenge for public companies.

For government contractors, the exposure goes further. The DOJ’s Civil Cyber-Fraud Initiative  is using the False Claims Act to hold government contractors accountable for overstating their cybersecurity practices. In that context, a BEC incident may serve as evidence of a gap between what a company said it was doing and what it had actually implemented—opening the door to enforcement risk even without a traditional data breach.

What CEOs and General Counsel Should Do Now

CEOs and General Counsel must act in the face of increasingly sophisticated scams and growing legal and regulatory exposure. The steps below directly affect potential liability, insurance recovery, and enforcement risk after an incident.

1. Set the Tone from the Top

After a BEC incident, investigators ask whether leadership clearly expected employees to escalate and verify unusual payment requests—including those appearing to come from senior executives. Courts may this as a board‑level governance issue. Companies that cannot show leadership support for escalation face greater exposure to claims that controls existed on paper but failed in practice.

2. Enforce Strong Controls

In BEC cases, internal controls often determine whether losses are recoverable or absorbed. Dual approvals and call‑back verification for payment changes can be prerequisites to insurance coverage and key indicators of effective oversight. Inconsistent application of these controls invites questions not just about prevention, but about supervision.

3. Document Reasonable Prevention

Post‑incident reviews focus on whether management took reasonable, documented steps to address a known risk. Training, simulations, and layered technical controls matter because they create a contemporaneous record of risk assessment and response—often central to regulatory inquiries, coverage disputes, and oversight claims.

4. Rehearse the Response

Once funds move, response decisions are scrutinized immediately. A defined incident‑response plan helps preserve privilege, avoid inconsistent disclosures, and support insurance recovery. Improvisation can compound financial loss with avoidable legal exposure.

5. Pressure‑Test Insurance Coverage

BEC losses often fall between cyber, crime, and D&O policies, with coverage turning on whether specific controls were in place before the incident. Boards should not rely on assumptions. Reviewing coverage against realistic BEC scenarios—before an incident—can surface gaps that materially affect financial and governance risk.

The bottom line: BEC is a board-level risk that demands executive attention, but it is largely preventable, and its effects can be mitigated. Companies that lead with vigilance, enforce smart controls, and prepare for the worst are far less likely to suffer catastrophic losses. The companies that get this right won’t be the ones with the best firewalls—they’ll be the ones whose leadership never assumed it couldn’t happen to them.