Details

Section 13(b)(2)(B) of the Securities Exchange Act of 1934 requires public companies to “devise and maintain a system of internal accounting controls.” In a recent opinion, a New York federal court rejected the Securities Exchange Commission’s (SEC) argument that a public issuer violates Section 13(b)(2)(B) when it fails to implement an adequate system of cybersecurity controls.

The SEC had some success with this legal theory in administrative enforcement actions. For example, in June 2024, the SEC settled an enforcement action against R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services. The SEC’s order found that RRD violated Section 13(b)(2)(B) because its controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient. Without admitting or denying the SEC’s findings, RRD agreed to cease and desist from committing violations of these provisions and to pay more than $2 million in a civil penalty.

In court, however, the SEC’s legal theory was not successful. The New York federal case began in 2023 when the SEC filed a complaint against SolarWinds Corp. and its chief information security officer in the U.S. District Court for the Southern District of New York. The SEC alleged, among other things, that the defendants violated Section 13(b)(2)(B) by failing to devise an adequate system of cybersecurity protections. On July 18, 2024, the federal court flatly rejected this theory of liability and dismissed the SEC’s Section 13(b)(2)(B) claim. Securities and Exchange Commission v. SolarWinds Corp., 2024 WL 3461952 (S.D.N.Y. July 18, 2024).

The court observed that Section 13(b)(2)(B) applies only to a company’s “system of internal accounting controls” and found that the plain meaning of this statutory language limited the provision’s application to systems of financial accounting. Further, the court found that the few courts to have analyzed the term “internal accounting controls” as used in Section 13(b)(2)(B) had construed it to relate only to financial accounting. The court thus concluded that the requirement to “devise and maintain a system of internal accounting controls” was properly read to require the issuer to accurately report, record, and reconcile financial transactions and events, not to have an adequate system of cybersecurity protections.

The SEC tried to persuade the court that cybersecurity controls fell within Section 13(b)(2)(B) because they were necessary to ensure that third parties could not access a public company’s assets. However, the New York federal court found that accepting this rationale would have “sweeping ramifications.” The court observed that the SEC’s rationale could empower the agency to also regulate “background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers.” Such an expanded construction was inconsistent with the text of Section 13(b)(2)(B), the court concluded.

The SEC likely will appeal the SolarWinds opinion and will continue to pursue enforcement actions based on its expansive view of Section 13(b)(2)(B). Until a federal appellate court resolves the question of the viability of the SEC’s expansive view of its enforcement authority, public companies face uncertainty about whether the SEC can regulate their cybersecurity controls in addition to their financial accounting controls. The recent SolarWinds decision, however, gives public companies a basis to push back on such efforts.