In this June Order, SEC Enforcement brought settled charges against R.R. Donnelley & Sons, a “global provider of business communications services and marketing solutions,” for control failures: more specifically, a failure to maintain adequate disclosure controls and procedures related to cybersecurity incidents and alerts and a failure to devise and maintain adequate internal accounting controls—more specifically, “a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization.” RRD agreed to pay over $2.1 million to settle the charges. Interestingly, in a Statement, SEC Commissioners Hester Peirce and Mark Uyeda decried the SEC’s use of “Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent,” not to mention its “decision to stretch the law to punish a company that was the victim of a cyberattack.”
According to the Order, as part of its services, RRD regularly stored and transmitted confidential data of its clients. RRD had set up internal intrusion detection systems that issued alerts when intrusions were detected. Although the alerts were available to RRD’s internal personnel for review, they were reviewed initially by RRD’s third-party managed security services provider, which would then escalate alerts as appropriate. The response and remediation for identified incidents was performed by both RRD’s internal personnel and the MSSP.
Between November 2021 and January 2022, the Order alleged, a number of alerts were received, three of which were escalated to RRD’s internal security personnel, indicating the use of malware on multiple computers and providing a “link to a cybersecurity magazine article, which described the malware and stated that it was often used in ransomware operations.” The Order alleged that RRD reviewed the escalated alerts but, “in partial reliance on its MSSP, did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, until late December 23, 2021.” According to the Order, the MSSP also reviewed at least 20 other Alerts related to the same activity in November and December 2021, but did not escalate them to RRD. These included “alerts regarding the same malware being installed or executed on multiple other computers across the network and compromise of a domain controller server, which provided the threat actor with access to and control over a broader sweep of network resources and credentials. The malware executed on the domain controller was at the time publicly known to have been used by the ransomware group credited with the attack on RRD.” Then, between November 29 and December 23, 2021, the threat actor installed encryption software on certain RRD computers and “exfiltrated 70 Gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.” After a company with shared access to RRD’s network alerted RRD’s CISO on December 23, “RRD’s security personnel conducted a rapid and extensive response operation.” RRD found no evidence that RRD’s financial systems and corporate financial and accounting data were accessed in the attack. On December 27, RRD issued a public statement.
According to the SEC, RRD’s cybersecurity review and response policies and procedures were inadequate, failing to provide sufficient guidance for incident responses or oversight of the MSSP’s review and escalation of the alerts. With respect to the 2021 ransomware incident, RRD’s “failure to design and maintain internal controls sufficient to provide reasonable assurances that access to RRD’s assets was permitted only with management’s authorization was exploited by hackers. While RRD’s internal systems began issuing alerts on the first day of the compromise, approximately three weeks before any encryption and exfiltration of data took place, RRD’s external and internal security personnel failed to adequately review these alerts and take adequate investigative and remedial measures until a company with shared access to RRD’s network notified RRD about anomalous internet traffic on December 23, 2021.”
The SEC charged that RRD violated the disclosure controls and procedures requirements of Exchange Act Rule 13a-15(a), because it “failed to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure.” In particular, the controls and procedures “were not designed to ensure all relevant information relating to alerts and incidents was reported to RRD’s disclosure decision-makers in a timely manner, and did not provide guidance regarding the personnel responsible for reporting such information to management.”
In addition, the SEC charged that RRD violated the internal accounting controls provisions of Exchange Act Section 13(b)(2)(B), which requires companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets is permitted only in accordance with management’s general or specific authorization.” In particular, RRD was alleged to have violated the internal accounting controls requirements because “RRD’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and to provide clear guidance to internal and external personnel on procedures for responding to incidents. In addition, RRD failed to establish sufficient internal controls to oversee the MSSP’s review and escalation of the alerts.”
In reaching a settlement, the SEC took into account RRD’s cooperation and remedial efforts, including reporting the incident to SEC staff prior to any EDGAR filing, voluntarily revising its policies and providing information to the staff upon request. RRD was ordered to pay a civil money penalty of $2.125 million.
Commissioners Hester Peirce and Mark Uyeda issued a statement critical of the SEC’s approach to this Order—essentially its use of the internal accounting controls provision of Section 13(b)(2)(B) “as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent” without clearly identifying a link between those preferred policies and procedures and accounting controls. The SEC, they contended, is treating Section 13(b)(2)(B) as “a novel attachment on its multi-use tool—’a system of cybersecurity-related internal accounting controls.’”
In the Order, RRD was charged with violating the requirement in Section 13(b)(2)(B)(iii) that “it devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that . . . (iii) access to assets is permitted only in accordance with management’s general or specific authorization.’” But Peirce and Uyeda argued that the controls involved here were more properly categorized as “administrative controls” rather than “internal accounting controls.” How does that work? According to the two Commissioners, the “assets” to which the Order referred were RRD’s “information technology systems and networks.” But those assets, they contended, were “not …asset[s] of the type covered by Section 13(b)(2)(B)’s internal accounting controls provisions.” The focus of the applicable Statement on Auditing Standards “makes clear that the objective of permitting ‘access to assets . . . only in accordance with management’s authorization’ is concerned not with all corporate assets, but rather with assets of a particular character—those that are the subject of corporate transactions. The asset at issue in the Order—RRD’s computer systems—does not have that essential characteristic.” Although RRD’s computer systems were corporate property, they were “not the subject of corporate transactions. At most, computer systems process transactions in corporate assets, but the internal accounting controls are concerned with the use and disposition of the corporate assets themselves,” i.e., “transactions that ended in the disbursement of cash.” Here, “the controls associated with the means of processing transactions in corporate assets are more appropriately categorized as administrative controls involving management’s decisions prior to authorizing transactions.” In support of their distinction between these two types of controls, they cited several examples from the SEC’s 2018 report of investigation related to cyber-frauds and accounting controls.
In the view of the two Commissioners. the SEC’s Order charging RRD with failures of “internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).” But “eliding the distinction between administrative controls and accounting controls has utility for the Commission. As this proceeding illustrates, a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices,” a hook that the two Commissioners lambaste. It allows the SEC, they asserted, to take the position that “any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation.” What’s more, the two Commissioners expressed concern that the SEC was “stretch[ing] the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.”