The SEC continues to expand its cybersecurity enforcement authority to include allegations that a company's failure to monitor its managed security service providers (MSSP) amounts to violations of federal securities laws. Recently, the SEC brought settled charges against R.R. Donnelley & Sons Co. (RRD or the Company). In the settlement order, the SEC alleged that RRD failed to maintain effective disclosure controls to inform decision-makers promptly with all relevant information concerning cyber alerts from monitoring tools and cybersecurity incidents. In a first-of-its-kind settlement, the SEC alleged that RRD failed to maintain internal accounting controls because the Company 1) failed to have sufficient controls to oversee its MSSP, 2) had inadequate cyber alert review protocols and 3) maintained insufficient cybersecurity access controls. The issue of whether internal accounting controls apply to cybersecurity access controls is hotly contested in the SEC v. SolarWinds case (discussed at length in our recent post and in a forthcoming post) and opposed by two of the five SEC Commissioners.
Background
According to the settlement order, RRD is a global provider of business communications services and marketing solutions, and its information technology (IT) systems stored and transmitted sensitive client data. RRD relied on an MSSP to monitor its intrusion detection system alerts and, upon an initial investigation, the MSSP would escalate significant alerts to RRD's internal cybersecurity personnel.
On Nov. 29, 2021, an internal intrusion detection system began issuing alerts concerning malware and other suspicious activity within RRD's IT systems. The MSSP reviewed these alerts and escalated some of them to the Company's security personnel; the MSSP also provided RRD a link to an article that described the malware and its frequent use in ransomware attacks. Relying in part on the MSSP, RRD did not take the affected systems off the network. As a result, the threat actor was able to exfiltrate 70 gigabytes of data, including data belonging to some customers that contained personally identifiable information (PII). However, according to the order, there was no evidence that the threat actor accessed RRD's financial systems or corporate financial and accounting data.
On Dec. 23, 2021, after a third-party company with shared access to the network alerted RRD's chief information security officer (CISO) about suspicious activity in the environment, RRD engaged in incident response activities and shut down the affected servers. RRD disclosed the incident in a Form 8-K it filed on Dec. 27, 2021, the first business day after the Christmas holiday.
The Settlement
The SEC alleged that due to RRD's delay in responding to initial cyber alerts, the Company violated the disclosure controls and procedures requirements of Exchange Act Rule 13a-15(a). The rule requires issuers to maintain controls and procedures that are designed to ensure that information required to be disclosed is accumulated and communicated to management to allow for timely decisions regarding disclosure. Since cyber alerts raise concerns about suspicious activity within RRD's environment, the SEC alleged that RRD failed to disclose all relevant information related to these alerts and the ongoing incident to relevant decision-makers in a timely manner. The SEC also alleged that RRD did not provide sufficient guidance to personnel regarding the reporting of such information to management.
Furthermore, the SEC alleged violations of Exchange Act Section 13(b)(2)(B), which requires certain issuers to maintain internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets is permitted only in accordance with management's authorization. According to the order, RRD failed to maintain adequate policies and procedures concerning employee review of cyber alerts and provide clear guidance on the procedures for responding to cybersecurity incidents. In a first-of-its-kind claim, the SEC alleged that RRD violated the internal accounting controls provision by failing to have sufficient controls in overseeing its MSSP in relation to the review of and response to cyber alerts. Finally, the SEC claimed that the Company failed to maintain effective internal accounting controls because its cybersecurity access controls did not prevent RRD's systems from being "exploited by hackers."
As part of the settlement with the SEC, without admitting or denying fault, RRD agreed to cease and desist from violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a) and pay a civil penalty of $2.125 million. The SEC emphasized the Company's cooperation and remedial efforts, which included self-reporting the incident to the SEC before disclosing it to investors, voluntarily revising its policies, adopting new controls, increasing cybersecurity personnel and communicating with SEC staff promptly before the agency issued subpoenas, including "obtaining information from various employees, providing additional documents, and explaining technical cybersecurity issues."
A Growing Dissent
The order was criticized by two of the five SEC Commissioners. Following on the heels of fully briefed motion to dismiss arguments in SEC v. SolarWinds that internal accounting controls must relate to accounting controls and not to other administrative controls (e.g., cybersecurity access controls), SEC Commissioners Hester M. Peirce and Mark T. Uyeda doubled down on this criticism. The Commissioners issued a statement titled "Hey, look, there's a hoof cleaner!" asserting that the SEC is essentially misusing internal accounting controls as a "Swiss Army [knife] to compel issuers to adopt policies and procedures the Commission believes prudent" regardless of any link to "accounting controls."
In the statement, the Commissioners argued that RRD's "information technology systems and networks" did not qualify as "assets" under Section 13(b)(2)(B), and that "assets" under this provision must relate to financial assets and the reliability of financial records. This argument mirrors those raised by SolarWinds and its CISO in their ongoing litigation against the SEC. The Commissioners also noted that the SEC's charges seemed to "punish a company that was the victim of a cyberattack."
Key Takeaways
SEC Expands Internal Accounting Controls Again
The SEC continues to move aggressively in the cyber enforcement space, making novel arguments to expand its authority as a cybersecurity regulator. For instance, in SEC v. SolarWinds, the SEC seeks to expand internal accounting controls to include access controls in the cybersecurity context.1 There, the SEC argued that access controls provided access to IT "assets."
Here, despite significant and growing challenges to its interpretation of internal accounting controls, the SEC seeks to expand the definition even further to include administrative controls governing a company's oversight of "the MSSP's review and escalation of [cyber] alerts." The SEC does not attempt to explain whether such administrative controls are connected to "access to assets" as required under Section 13(b)(2)(B). Nevertheless, such an argument would seem to be a step removed from a company's cybersecurity policies related to access controls.
Essentially, the SEC interprets internal accounting controls to include policies governing the cybersecurity aspects of a company's third-party vendor management program. Such an interpretation creates a heavy burden on companies to monitor their vendors' practices closely. Many companies must outsource some portion of their cybersecurity program; however, in doing so, they will not have direct observation of the day-to-day practices of those vendors and may find it challenging to provide the level of oversight that the SEC seems to demand.
In light of the Supreme Court's case in Loper Bright Enterprises v. Raimondo, which overturned the principles of Chevron deference, it remains to be seen how far the SEC can expand its interpretation of internal accounting controls. Moreover, with every effort to further expand internal accounting controls to encompass some new administrative control, the SEC risks that a court may strike down its arrogated cybersecurity authority or portions thereof.
For the foreseeable future, issuers should be aware that deficiencies in their cybersecurity policies concerning access controls or in the oversight of their third-party vendor management programs may result in an SEC investigation or charges of violations of federal securities laws relating to internal accounting controls. Relatedly, cybersecurity professionals, such as CISOs and chief technology officers (CTOs), should be cognizant that any cyber incident could be fair game for an SEC enforcement investigation.
SEC Provides Examples of How to Cooperate in a Cybersecurity-Related Enforcement Action
The SEC continues to drive hard to the proverbial hoop to extoll the virtues of cooperation (as we have discussed here, here, here and here). The settlement with RRD is no exception. In the order, the SEC recognized several components of RRD's cooperation with the staff and noted that these efforts impacted the size of the civil penalty. However, this case was the second largest of four SEC settlements concerning cybersecurity incidents since 2020,2 so it is not evident exactly how much the Company's cooperation was credited.
Nevertheless, by highlighting these steps, the SEC reinforces its appreciation for and encouragement of cooperation and outlines the practice that could lead to cooperation credit in connection with a cybersecurity incident specifically, including:
- reporting a cybersecurity incident to the SEC before filing a Form 8-K
- voluntarily revising policies and procedures and adopting new controls
- updating employee training
- increasing cybersecurity personnel
- providing SEC Enforcement a detailed explanation and summaries of specific factual issues
- promptly following up on staff requests without requiring a subpoena
Footnotes
1. In cybersecurity, access controls are policies and procedures to ensure that only authorized users can access and use the information system and that authorized users are granted the appropriate level of access to the data within such systems.
2. The other three cases settled for approximately $488,000, $1 million and $3 million.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.