July 23, 2024

SEC Settlement: Cybersecurity Internal Controls

H. Gregory Baker, Alejandro Cruz, Josie Dikkers

+ Follow Contact

Send

Embed

Patterson Belknap Webb & Tyler LLP

On June 18, 2024, the Securities and Exchange Commission (“SEC”) announced a $2.1 million civil penalty settlement of charges against R.R. Donnelley & Sons (“RRD”), a global provider of business communications services and marketing solutions, for disclosure and internal accounting control failures.[1] The SEC alleged that these failures resulted in RRD’s “fail[ure] to execute a timely response to a ransomware network intrusion” that began on November 29, 2021 and resulted in “encryption of computers, exfiltration of data, and business service disruptions.”[2] The settlement is unprecedented in that it marks a significant expansion of the SEC’s oversight of public companies’ cybersecurity policies and procedures.

Background

Prior to the ransomware attack that began on November 29, 2021, RRD utilized an internal intrusion detection system that issued alerts when it detected a cybersecurity intrusion. These alerts were reviewed in the first instance by a third-party managed security services provider (“MSSP”). The MSSP would then choose to escalate those alerts, if appropriate, to RRD’s internal personnel.

The SEC alleges that the ransomware network intrusion that began on November 29, 2021 triggered alerts, some of which were escalated to RRD’s security personnel but at least 20 of which were not. While RRD reviewed the alerts that were escalated, it “did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, until late December 23, 2021.”[3]

As a result, the threat actor was able to install encryption software on RRD computers and “exfiltrated 70 Gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.”[4] Only after a third-party company with shared access to the network alerted RRD regarding the suspicious activity on December 23, 2021 did RRD begin a “rapid and extensive response operation.”[5] Ultimately, there was no evidence that the threat actor accessed RRD’s financial systems or corporate financial and accounting data. RRD disclosed the incident in a Form 8-K filed on December 27, 2021.

The Settlement

The SEC alleged that RRD violated the disclosure controls and procedures requirements of Exchange Act Rule 13a-15(a) by its failure “to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure.”[6]

In addition, the SEC alleged that RRD violated the internal accounting controls provisions of Exchange Act Section 13(b)(2)(B)(iii), which requires companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that . . . access to assets is permitted only in accordance with management’s general or specific authorization.”[7] As a result of these violations, RRD was ordered to pay a civil money penalty of $2.125 million.

Dissent

Two SEC Commissioners, Hester Peirce and Mark Uyeda, issued a joint statement dissenting from the majority’s use of Section 13(b)(2)(B).[8] They argued that “[b]y treating RRD’s computer systems as an asset subject to the internal accounting controls provision,” the SEC utilized an “expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii)” that exceeded the limits of the Exchange Act. Specifically, the dissenting Commissioners stated that such an interpretation incorrectly gave “the Commission a hook to regulate public companies’ cybersecurity practices”[9] that could lead to a situation in which “any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation.”[10]

Expectations for the Future

The RRD settlement highlights the SEC Enforcement Division’s focus on cybersecurity practices and intent to regulate the space to a greater degree. While the Enforcement Division had previously brought cyber-related enforcement actions, these actions concerned companies that failed to adequately disclose a cyber hack.[11] The SEC brought charges against RRD under the Exchange Act even though RRD had in fact disclosed the breach to the public.

However, the Enforcement Division’s actions stand in stark contrast to other statements from the SEC suggesting that no cybersecurity control regulations shall be issued by the Commission. For example, at the end of 2023, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement in which he said that the “Commission is not seeking to prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy.”[12]

Despite this lack of clarity from the SEC itself, the U.S. District Court for the Southern District of New York may soon provide further guidance. In SEC v. SolarWinds Corp., 23-cv-09518-PAE (S.D.N.Y), the SEC has brought a claim under Section 13(b)(2)(B) for an internal accounting control violation. SolarWinds has moved to dismiss that claim, arguing that it “amounts to a wholesale rewriting of the law.”[13] A decision on that motion is expected shortly.

[1] Securities and Exchange Commission, SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations (July 2, 2024), https://www.sec.gov/newsroom/press-releases/2024-75.

[2] Securities and Exchange Commission, Cease-And-Desist Order, R.R. Donnelley & Sons Co., page 2, (Jun. 18, 2024), https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf.

[3] Id. at 4.

[4] Id.

[5] Id.

[6] Id. at 2.

[7] Id.

[8] Commissioners Hester M. Peirce and Mark T. Uyeda, Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co., (Jun. 18, 2024), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-rr-donnelley-061824.

[9] Id.

[10] Id.

[11] Securities and Exchange Commission, Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (Apr. 24, 2018), https://www.sec.gov/newsroom/press-releases/2018-71.

[12] Erik Gerding, Cybersecurity Disclosure, (Dec. 14, 2023), https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-disclosure-20231214.

[13] SEC v. SolarWinds Corp., 23-cv-09518-PAE, Dkt. No. 46 (S.D.N.Y).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.