The SEC’s Controls-Based Approach to Cybersecurity Enforcement Continues, with an Accounting Twist

On June 18, 2024, R.R. Donnelley & Sons Co. (RRD) settled a $2.125 million SEC administrative enforcement action based on RRD’s alleged failure to design effective disclosure controls and procedures as required by Securities Exchange Act of 1934 (“Exchange Act”) Rule 13a-15(a). The SEC also alleged that RRD violated Exchange Act Section 13(b)(2)(B), a statute that requires public companies to devise and maintain “a system of internal accounting controls” that prohibit access to a company’s “assets” without authorization by management. According to the SEC, RRD’s alleged failure to maintain adequate cybersecurity controls over its information technology systems and networks, which contained sensitive business and client data, violated this statute. SEC Commissioners Hester Peirce and Mark Uyeda dissented to the application of Section 13(b)(2)(B) to non-accounting controls, consistent with their November 2023 dissent in the SEC’s settlement with Charter Communications relating to stock buybacks and Rule 10b5-1 trading plans.

 Key Takeaways

• This settlement marks the SEC’s second application of Section 13(b)(2)(B) to cybersecurity controls in the aftermath of cyber incident threat actors accessing a public company’s IT systems and networks. Historically, the SEC uses Section 13(b)(2)(B) to enforce accounting controls violations which allowed alleged unauthorized access to a company’s financial or payment systems, typically resulting in payments made by company employees without proper authorization. Along with the SEC’s litigation against SolarWinds, discussed below, the RRD settlement is the latest indication from at least three of the SEC Commissioners of their view that public companies’ cyber incident and response policies, as well as actions taken by company personnel in accordance with those policies, fall within the purview of Section 13(b)(2)(B).
• Questions about the application of Section 13(b)(2)(B) to cybersecurity controls are currently being litigated in federal court. The SEC’s first cyber enforcement action including Section 13(b)(2)(B) charges is currently under consideration by Judge Paul Engelmayer in the Southern District of New York at the motion to dismiss stage. See SEC v. SolarWinds Corp. et al., No. 1:23-cv-09518-PAE.  A victory by SolarWinds on its 13(b)(2)(B) defense could affect how the SEC approaches future Section 13(b)(2)(B) cybersecurity enforcement actions involving exfiltration of computer code and software or access to IT infrastructure.
• Public companies should review their incident response and escalation policies in the wake of the RRD settlement and SolarWinds litigation. While questions remain about whether cybersecurity controls constitute accounting controls, and whether computer code and IT networks are in fact “assets” under Section 13(b)(2)(B), public companies should take steps to ensure that their cybersecurity incident response policies: (1) clearly identify responsible personnel with authority for responding to cybersecurity incidents; (2) establish unambiguous guidelines for reviewing and prioritizing alerts and incidents; and (3) create well-defined processes for escalating and reporting incidents internally, including communication with decision-makers responsible for disclosure. Public companies should also ensure that they are adequately resourced to execute existing policies and procedures and that they implement adequate investigative and remedial actions in accordance with their incident response and escalation policies when necessary.

Overview of the SEC’s Allegations

Between November and December 2021, RRD suffered a ransomware network intrusion. RRD’s intrusion detection system issued alerts, which were reviewed by RRD’s third-party managed security services provider (MSSP). MSSP escalated some, but not all, alerts to RRD’s internal security personnel beginning on November 29, 2021. While RRD reviewed these escalated alerts, it did not take infected systems off the network and failed to conduct an investigation until December 23, 2021. During this period, MSSP also reviewed, but did not escalate to RRD’s internal security personnel, at least 20 alerts relating to the same malware being installed or executed on multiple other computers across the network. 

RRD began responding to the attack on December 23, 2021, after its Chief Information Security Officer was notified of anomalous internet activity by an unidentified company with shared access to RRD’s network. Four days later, RRD self-reported the incident to the SEC and then filed a Form 8-K. In total, the threat actor exfiltrated 70 GB of data belonging to RRD’s clients, including personal identification and financial information. RRD uncovered no evidence that the threat actor accessed RRD’s financial systems or corporate financial or accounting data.

In deciding to bring Section 13(b)(2)(B) charges, the SEC alleged that RRD’s cybersecurity alert review and incident response policies did not adequately establish prioritization schemes or provide clear guidance on how to review and respond to cybersecurity incidents to internal and external personnel. The order noted how RRD security personnel “failed to adequately review [] alerts and take adequate investigative and remedial measures,” and that RRD staff tasked with reviewing and responding to escalated alerts had “significant other responsibilities, leaving insufficient time to dedicate to the escalated alerts and general threat-hunting.” The SEC’s press release credited RRD’s “meaningful cooperation that helped expedite the staff’s investigation” and voluntary adoption of “new cybersecurity technology and controls,” as factors resulting in the $2.125 million civil penalty.

Internal Agency Concerns Regarding the Expansive Interpretation of Regulatory Scope Under Section 13(b)(2)(B)

In a dissenting statement of the RRD order, Commissioners Peirce and Uyeda expressed concerns about the SEC’s use of Section 13(b)(2)(B) as a tool to enforce cybersecurity-related internal accounting controls. Commissioner Peirce asserted that “computer systems,” while technically assets insofar as they are corporate property, are not the types of assets covered by Section 13(b)(2)(B)’s internal accounting controls provisions because “computer systems” are not the subject of corporate transactions. She emphasized that the Commission’s role with respect to public companies’ activities, including cybersecurity, is limited and cautioned against agency overreach by eroding the distinction between internal accounting controls and administrative controls more broadly.