In an action the SEC’s two Republican Commissioners sharply criticized in a separately-issued statement, the SEC has filed settled charges against business communications services provider R.R. Donnelly & Sons (RRD) relating to the company’s disclosure and accounting controls in connection with cybersecurity incidents the company suffered in late 2021. The company, which the SEC credited for its cooperation and remedial measures, agreed to pay a $2.125 million civil penalty and voluntarily adopted corrective processes and procedures. The settled action provides strong indications of the measures and controls the agency expects reporting companies to adopt and implement with respect to cybersecurity.

The SEC’s June 18, 2024, press release about the settled action can be found here. The agency’s June 18, 2024, cease and desist order with respect to the action can be found here. Cydney Posner’s July 3, 2024, post about the enforcement action on the Cooley law firm’s PubCo blog can be found here.

Background

RRD is a global provider of business communications services and marketing solutions. As part of its services, RRD regularly stored and transmitted data of its clients, much of it confidential. In order to protect the data, RRD maintained an internal intrusion detection system. The system issued a significant number of alerts each month. These alerts were reviewed in the first instance by a third-party security services provider, which would escalate alerts to RRD cybersecurity personnel according to identified protocols.

The SEC alleges that between November 29, 2021, and December 23, 2021, RRD experienced a ransomware network intrusion. The company’s intrusion detection system began issuing alerts, some of which were escalated to RRD cybersecurity personnel. However, though the RRD personnel reviewed the alerts, the alerts were not further escalated until later in December. In the meantime, the threat actor used hacking techniques and encryption software on RRD computers to exfiltrate 70 gigabytes of data, including data belonging to RRD clients. RRD began actively responding to the intrusion alerts on December 23, 2021. The response included shutting down servers and notifying clients and federal and state agencies. On December 27, 2021, the company made the first of several public disclosures about the cyber intrusion incident.

The Settled Charges

The SEC alleged that RRD failed to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure. Specifically, the agency alleged that despite having information about the 2021 cyber intrusion, the company failed to adequately assess the information from a disclosure perspective. The agency also alleged that during the 2021 cybersecurity incident, the company’s failure to establish an appropriate prioritization scheme with clear guidance to internal and external personnel was exploited by hackers. The agency’s cease and desist order reflects a particular concern about the time that passed between the initial alerts about the incident and the date on which the company launched remedial measures, noting that it was during this lag time between the alert and the response that the third-party actor exfiltrated the data.

In it press release about the settled charges, an agency spokesperson stated that the agency instituted the enforcement action “because RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient.”

The Republican Commissioners’ Separate Statement

In a separate sharply worded June 18, 2024 statement, SEC Commissioners Hester Pierce and Mark Uyeda criticized the Commission for “treating Exchange Act Section 13(b)(2)(B)’s internal accounting control provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent.” The two commissioners went on to say that “Identifying a link between the Commission’s preferred policies and procedures and accounting controls seems a collateral concern, if it is a concern at all.”

In their statement, the two commissioners said that the Commission’s Order “ignores the distinction between internal accounting controls and broader administrative controls.” The two commissioners observe that the broad interpretation of the agency’s authority “gives the Commission a hook to regulate public companies’ cybersecurity practices,” allowing the agency to deem any departure from what the Commission believes are appropriate cybersecurity policies as an internal accounting control violation.

The two commissioners conclude their statement by noting that they were particularly concerned by “the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack.” While conceding that an enforcement action may be warranted in some circumstances, “distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.”

Discussion

The Republican Commissioners’ separate statement certainly highlights many of the concerning aspects of this enforcement action. The two commissioners forcefully make the point that by pursuing this action the Commission was in effect punishing a company that suffered a cyber-attack, and that the agency stretched its legal authority in order to do so.

From my perspective, it is noteworthy that the agency does not seem to allege that investors were misled by any company disclosures. No fraud is alleged and no improper transactions are alleged. Indeed, the agency does not even seem to have alleged that any RRD clients or customers were harmed. Rather, the action seems to be entirely based on alleged failures in the processes that the company instituted and implemented in order to monitor administrative measures. In that sense, it does seem, as the Republican Commissioners noted in their separate statement, that this is an unusual action on the agency’s part.

Moreover, the agency’s allegations that the company’s administrative controls were deficient is not based on a specific, existing prescriptive set of rules. Rather, as the Republican Commissioners point out in their statement, the agency ostensible authority to act with respect to the company’s cybersecurity procedures is based on the agency’s general authority with respect to internal accounting controls. Which of course begs the question of whether the controls at issue in this enforcement action are in fact internal accounting controls.

Some readers may wonder why there is no mention of the agency’s cybersecurity disclosure rules, which the agency adopted in July 2023. Although the agency’s order does not mention it, the likely reason that the cybersecurity disclosure rules were not involved in this enforcement action is that the agency adopted the rules well after the incidents involved in this action.

In any event, well-advised companies seeking to avoid similar conflicts with the agency and trying to maintain adequate and appropriate cybersecurity reporting processes and procedures will want to review the agency’s cease and desist order carefully. In describing the ways in which the agency contends that RRD’s controls were inadequate, the agency inferentially suggests ways that companies’ internal reporting procedures can be improved in order to ensure that incident alerts are elevated and acted upon appropriately.

Whatever else you want to say about the circumstances involved here, there was a lag between the time of the initial alert and the point at which the company responded to the intrusion, and it was during this lag that the data exfiltration took place. Regardless of any question about a possible SEC enforcement action, all companies seeking to protect their data and assets from this kind of intrusion will want to try to take steps to ensure that this kind of lag does not occur in their operations.

Readers interested in the larger question of whether or not this action was (or was not) within the SEC’s enforcement reach will want to refer to John Jenkins’s July 8. 2024 post on TheCorporateCounsel.net blog, here.