On July 18, 2024, the U.S. District Court for the Southern District of New York dismissed most of the claims brought by the Securities and Exchange Commission (the "Commission") against SolarWinds Corp. ("SolarWinds") and its Chief Information Security Officer ("CISO") in SEC v. SolarWinds Corp. et al. in connection with the SUNBURST attack.1 Among other things, the decision provides important perspective to the debate regarding whether controls associated with cybersecurity matters are covered by the internal accounting controls provisions of Section 13(b)(2)(B) of the Securities Exchange Act of 1934, as amended (the "Exchange Act"). The court's dismissal in SolarWinds follows in sharp contrast to the Commission's June 18, 2024 settlement with R.R. Donnelley & Sons Company ("RRD") relating to cybersecurity incidents, including violations of Section 13(b)(2)(B) with regard to internal accounting controls, and Exchange Act Rule 13a-15(a) with regard to disclosure controls and procedures ("DCP").2
Not all of the SEC's claims against SolarWinds and its CISO were dismissed. Some limited claims were allowed to proceed, including the claims of securities fraud related to SolarWinds' Security Statement, which included statements related to the strength of SolarWinds' password protections and access controls. The court found that, in the context of the motion to dismiss where the assertions in the pleadings were taken as true, SolarWinds' statements in the Security Statement would be "materially misleading by a wide margin" as opposed to mere "puffery."
This alert explores these recent developments, beginning with a refresher on the elements of DCP, internal accounting controls, and internal control over financial reporting ("ICFR"), analyzes those requirements in light of recent Commission enforcement and judicial actions, and concludes with some practical considerations for issuers.
Background
In 1977, Congress enacted the Foreign Corrupt Practices Act (the "FCPA") and added Section 13(b)(2)(B) to the Exchange Act, which requires issuers to maintain necessary precautions, known as internal accounting controls, to ensure the reliability and accuracy of financial records. Section 13(b)(2)(B) codified auditing standards then set forth in American Institute of Certified Public Accountants Statement on Auditing Standards No. 1. These provisions fundamentally sought to deter the inaccurate accounting of transactions intended to conceal corporate bribery.
Twenty-five years later, Congress enacted the Sarbanes-Oxley Act of 2002 ("SOX") following a number of corporate misdeeds, which sought to protect investors by improving the accuracy and reliability of corporate disclosures. SOX Section 302 tasked the Commission with promulgating requirements that public company principal executive officers and principal financial officers certify each annual and quarterly report, making several representations within those certifications, including as to responsibility for designing and evaluating the effectiveness of internal controls. Similarly, SOX Section 404 tasked the Commission with promulgating rules requiring an annual assessment of a company's internal control structure.
In response, the Commission promulgated Exchange Act Rule 13a-15 in late 2002, which requires certain officers to establish, maintain and evaluate the effectiveness of DCP.3 At that time, DCP was a newly-defined term reflecting the concept of controls and procedures related to disclosure embodied in Section 302(a)(4) of SOX. In 2003, the Commission amended Rule 13a-15 to implement Section 404 of SOX, adding to the rule the requirement that issuers maintain and evaluate ICFR and that certain issuers obtain an annual attestation report on ICFR from an independent registered public accounting firm.4 Similar to DCP, ICFR was a newly-defined term at the time. In the adopting release, the Commission noted the evolution of the meaning of "internal controls" beginning with the groundwork laid by the FCPA and subsequent confusion over its meaning. Some commenters urged the Commission "to adopt a considerably broader definition of internal control that would focus not only on internal control over financial reporting, but also on internal control objectives associated with enterprise risk management and corporate governance." The Commission rejected that proposal, articulating the following rationales in the adopting release:
- Section 404 of SOX focuses on the element of internal control that relates to financial reporting;
- even the more limited definition proposed by the Commission was expected to impose "substantial reporting and cost burdens on companies"; and – independent accountants traditionally have not had responsibilit
- attest to management's assessment of, internal controls that exist outside the boundaries of financial reporting.
Taking those considerations into account, including confusion over the terminology to be used, the Commission adopted the term "internal control over financial reporting," and noted that its final ICFR definition "is consistent with the description of internal accounting controls in Exchange Act Section 13(b)(2)(B)."5
Though the definitions of "internal accounting controls" from the FCPA and "ICFR" from SOX are intended to be "consistent," there are indeed definitional differences, with ICFR being more narrowly defined. With respect to applicable requirements, internal accounting controls speaks to "reasonable assurances" that "access to assets is permitted only in accordance with management's general or specific authorization." The corresponding provision in the ICFR definition includes a materiality qualifier and more directly focuses on the relationship to the financial statements, as it speaks to "reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements."
To view the full article click here
Footnotes
1. Sec. & Exch. Comm'n v. SolarWinds Corp., No. 23 CIV. 9518 (PAE), 2024 WL 3461952 (S.D.N.Y. July 18, 2024).
2. Press Release, U.S. Sec. Exch. Comm'n, SEC Charges R.R. Donnelley & Sons Co. with CybersecurityRelated Controls Violations (June 18, 2024), https://www.sec.gov/newsroom/press-releases/2024-75.
3. Certification of Disclosure in Companies' Quarterly and Annual Reports, Release No. 33-8124 (Aug. 29, 2002), https://www.sec.gov/rules-regulations/2002/08/certification-disclosure-companies-quarterly-annualreports.
4. Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5, 2003), https://www.sec.gov/rulesregulations/2003/03/managements-report-internal-control-over-financial-reporting-certification-disclosureexchange-act.
5. The adopting release also acknowledged that the term “does not encompass the elements of the [Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission] Report definition that relate to effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the Commission's financial reporting requirements.” The COSO framework was established in 1992, led by Executive Vice President and General Counsel James Treadway, Jr., and is a system used to establish internal controls to provide reasonable assurance that the organization is operating ethically, transparently and in accordance with industry standards. The COSO framework goes beyond financial reporting and defined internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in three categories, effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. Public companies commonly map their SOX controls against the COSO framework to evaluate their control environment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.