Does the R.R. Donnelley settlement mean heightened Securities and Exchange Commission (SEC) involvement in regulating public companies’ cybersecurity policies and practices? Our Securities Litigation, Privacy, Cyber & Data Strategy, and Securities teams opine.

• Treats the company’s computer systems as an “asset” subject to internal accounting controls rules and regulations
• Expands the SEC’s definition of “accounting controls” to include what have traditionally been seen as information security controls
• Indicates that the SEC intends to police public companies’ cyber-related policies, practices, and personnel

On June 18, 2024, the Securities and Exchange Commission (SEC) announced a $2.125 million settlement with R.R. Donnelley & Sons Co. (RRD) related to the company’s 2021 ransomware attack. The settlement, and the SEC’s accompanying cease-and-desist order, portend the agency’s continued and increasing oversight of registrants’ cybersecurity policies and practices.

Background

RRD is a global provider of business communications and marketing solutions. The order claims that, due to the nature of its services, RRD regularly stored and transmitted confidential and potentially sensitive data of its clients, which include health care companies, financial institutions, publicly traded companies, and other SEC registrants.

RRD was the subject of a well-publicized ransomware attack beginning on November 29, 2021, which the company disclosed in its SEC filings in late December 2021. According to the order, RRD’s internal intrusion detection system began issuing alerts about potential malware on the company’s network on November 29, 2021, which (while visible to RRD’s internal security personnel) were reviewed in the first instance by the company’s third-party managed security services provider (MSSP). The MSSP escalated some—but not all—of these alerts to RRD security personnel and flagged indications of similar activity occurring on several computers, possibly indicating that a threat actor had begun moving laterally within RRD’s systems. The MSSP also raised to RRD personnel connections between the alerts and a broader phishing campaign, as well as open-source intelligence that the malware could facilitate remote execution of “arbitrary code” and that it had been used in other ransomware attacks.

RRD personnel ultimately reviewed the alerts but did not independently investigate the activity or take steps to prevent further compromise until a third party with shared access to RRD’s network alerted the company’s chief information security officer “about potential anomalous internet activity emanating from RRD’s network.”

The company then began shutting down the affected servers and responding to the attack. In the 24 days between when the MSSP first escalated the alerts to RRD and when the company took action, the threat actor exfiltrated 70 gigabytes of data, including data belonging to 29 out of the company’s 22,000 clients.

Alleged Internal Accounting and Disclosure Controls Violations

Interestingly, the order does not challenge the substance or timing of the company’s SEC disclosures related to the incident.

Instead, the SEC claims that the company failed to maintain “sufficient internal accounting controls” to provide reasonable assurances that access to RRD’s “assets” was permitted only with management’s authorization, as required under Section 13(b)(2)(B) of the Securities Exchange Act of 1934. The order defines RRD’s information technology systems and networks as the company’s “assets” under the Exchange Act, and notes that information technology and cybersecurity are critically important to RRD because its business involves storing and transmitting large amounts of customer data.

More specifically, the SEC critiques the company’s management of its MSSP, stating that the company (1) “failed to reasonably set out a sufficient prioritization scheme and workflow for [the MSSP’s] review and escalation of the alerts”; and (2) “did not have sufficient procedures to audit or otherwise oversee the MSSP in order to confirm that the MSSP’s review and escalation of the alerts was consistent with RRD’s expectations and instructions.” The order further critiques the company’s internal program tasked with reviewing escalated alerts, noting that the program was understaffed and that the company’s policies failed to “sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting.”

The order additionally references disclosure controls claims against RRD under Exchange Act Rule 13a-15(a), on the grounds that that the company’s “cybersecurity procedures and controls were not designed to ensure all relevant information relating to alerts and incidents was reported to RRD’s disclosure decision-makers in a timely manner, and did not provide guidance regarding the personnel responsible for reporting such information to management.” The SEC concludes that this hindered the company’s ability to assess the incident “from a disclosure perspective.”

In agreeing to the settlement, the company agreed to cease and desist from “committing or causing any violations and any future violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a)” and to pay a $2.125 million fine.

Notably, two commissioners publicly dissented from the order, stating that by treating RRD’s computer systems as an asset subject to regulation by the SEC under the guise of “internal accounting controls,” the order “ignores the distinction between internal accounting controls and broader administrative controls.” The dissent further condemns the order, noting that “a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices. Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation. … While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.”

Takeaways

• The order signals the SEC’s intent to expand the meaning of “accounting controls” to include what have been traditionally thought of as information security controls, such as the escalation process for handling incoming cyberthreat alerts and the management of internal and external cybersecurity personnel.
• While most (if not all) cyber-related enforcement actions have included disclosure controls related allegations, this appears to be the first time the SEC is explicitly policing a company’s cyber-related policies, practices, and personnel. This may be evidence that the SEC is continuing to stretch its oversight authority over SEC registrants and public companies.
• The order asserts that RRD held “sensitive” data but does not focus on the type of data RRD held or what information was actually accessed or exfiltrated during the incident. The breadth of the SEC’s definition of “sensitive data” remains unclear.
• The order provides no guidance about how broadly the SEC may apply the argument that a company’s information technology systems and networks are company “assets.”
• This is the first SEC order in a cyber-related case to provide specific details about the company’s efforts to cooperate, including that the company reported the incident to SEC staff before its first Form 8-K disclosing the incident, voluntarily revising its incident response policies, providing detailed explanations and summaries to the staff, and complying with several staff requests without requiring a subpoena. The SEC claims to have taken the company’s cooperation into account in reaching the settlement and fine amount.
• The penalty of just over $2 million is generally consistent with other recent cyber-related SEC settlements.

[View source.]