SEC Settles Enforcement Proceedings Against Business for Allegedly Insufficient Internal Controls Relating to Cybersecurity Incident

Devin Eager, Mark Quade, Nathaniel Segal, Jacob Tiedt, Jake Wiesen
Vedder Price
Contact
LinkedIn
Facebook
X
Send
Embed

Vedder Price

On June 18, 2024, the SEC announced the settlement of administrative proceedings brought against a marketing and business communications firm for alleged internal accounting control deficiencies that caused the firm’s failure to promptly respond to a ransomware attack that occurred between November 29, 2021 and December 23, 2021, and which involved the unauthorized encryption of the firm’s computers, exfiltration of firm and client data, and business service disruptions.  According to the order, the firm received and reviewed network intrusion alerts escalated to it by its third-party managed security services provider, but the firm’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and provide clear guidance to internal and external personnel on procedures for responding to such incidents. As a result, the firm did not take the malware-infected instances off its network, investigate the activity, or take other steps to prevent further network compromise until December 23, 2021. 

The SEC alleged that the firm “failed to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure” and also “failed to reasonably design and maintain internal controls that complied with Section 13(b)(2)(B) of the Securities Exchange Act of 1934.”  The SEC found that the firm also violated Exchange Act Rule 13a-15(a), which requires issuers of securities (such as the firm) to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer is properly recorded, processed, summarized, and reported.

Without admitting or denying the SEC’s findings, the firm consented to cease and desist from future violations and to pay a civil monetary penalty of approximately $2.1 million. In agreeing to the settlement, the SEC considered the remedial acts promptly undertaken by the firm, including voluntarily adopting new cybersecurity technology and controls, and its cooperation with the SEC staff.  In response to this action, Commissioners Peirce and Uyeda issued a statement expressing their concerns over, among other things, the SEC’s use of Section 13(b)(2)(B) of the Exchange Act as a “Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent.”

The SEC’s order is available here, and a related press release is available here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Vedder Price

Written by:

Vedder Price
Vedder Price
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Vedder Price on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide