In a significant expansion of internal controls enforcement, the SEC announced a $2.1 million settlement with R.R. Donnelley & Sons Co. (“RRD”) for its handling of a 2021 ransomware attack and resulting disclosure failures. The settlement represents the SEC’s first application of its internal controls enforcement authority to include cybersecurity policies and procedures.
In 2021, RRD suffered a cyber attack in which a threat actor used deceptive hacking techniques to install encryption software on certain computers and exfiltrated 70 Gigabytes of data, including data tied to 29 client, some of which contained personal and financial information.
The SEC alleged that RRD did not detect the hack until a third-party notified RRD’s CISO about anomalous activity on their shared RRD network. Only after receiving such notification, RRD personnel shut down its servers and notified clients and government agencies. RRD confirmed that the threat actor did not access RRD’s financial information.
In reviewing RRD’s handling of the cyber incident, the SEC cited RRD’s failure to respond to notices issued by a third-party monitoring service and to conduct its own investigation of the potential hack. Specifically, the SEC criticized RDD’s failure to prioritize review of such alerts and implementation of a workflow for review and escalation of such reports. Further, the SEC noted that RRD did not allocate enough personnel to oversee the third-party reports and follow through with escalation reports. Also, the SEC criticized RRD’s internal incident response policies for not defining proper lines of responsibility, criteria for prioritizing alerts and efficient workflows for incident response and reporting.
Taking all of these factors together, the SEC concluded that RRD failed to design and maintain internal controls sufficient to provide reasonable assurances that access to its assets was not exploited by hackers who exfiltrated a large amount of data.
Aside from the internal controls violation, the SEC noted that RRD failed to design effective disclosure controls around cybersecurity incidents to ensure that management was promptly informed of cyber events such that management could make any timely disclosure that may be required. As the SEC’s settlement notes, RRD failed to ensure that information was escalated to management for a proper disclosure decision.
RRD cooperated with the investigation and implemented apporpriate remediation, including revising its incident response policies and procedures, conducting additional training for employees and increasing cybersecurity staff levels.
The SEC’s settlement decision was not unanimous and drew several dissenting statements. Specifically, Commissioners Hester Peirce and Mark Uyeda released a critical statement arguing against the SEC’s continued expansion of its internal controls enforcement authority. According to the two Commissioners, the SEC’s application of internal controls to specific cybersecurity controls and disclosure requirements is an unjustified expansion of the internal controls provision.
The SEC’s action raises serious question as to limits on its internal accounting controls authority. As interpreted by the SEC, any cyber incident could result in an internal controls violation. Such an expansion of the SEC’s authority is difficult to accept given that every cyber incident will necessarily involve some deficiency in a company’s cyber policies and procedures. The SEC has not provided any specific guidance on precisely what are reasonable and appropriate cybersecurity internal accounting controls. Until that happens, it is easy for the SEC to find a deficiency after a cyber incident has actually occurred.
If the SEC continues to pursue this enforcement policy, companies should undertake a wholesale review of their cybersecurity policies and procedures, as well as its disclosure policies.
