The Securities and Exchange Commission is leaning on an expansive interpretation of a provision in one of the statutes it enforces as the agency looks to more aggressively assert jurisdiction over cybersecurity-related matters, legal analysts said.
The provision at issue, Section 13(b)(2)(B) of the Securities Exchange Act, requires public companies to maintain internal accounting controls. The SEC in recent years has expanded its interpretation and use of the provision in ways that have raised eyebrows.
In the latest example, the SEC last week announced that R.R. Donnelley & Sons Co., a global provider of business communication and marketing services, agreed to pay about $2.1 million to settle commission charges that it violated Section 13(b)(2)(B) by failing to “devise and maintain a system of cybersecurity-related internal accounting controls.” The charges stemmed from the company’s response to a 2021 ransomware attack.
“As the dissenting SEC commissioners noted, it’s arguably an aggressive expansion of the SEC’s use of this provision,” Charu Chandrasekhar, a partner in the securities enforcement practice of law firm Debevoise & Plimpton, said in an interview. “I don’t think the application to cybersecurity systems is consistent with the purpose of the provision and the context in which the provision has historically been applied by the SEC.”
The enforcement action represents the SEC’s latest assertion of jurisdiction under Section 13(b)(2)(B) to punish a company for alleged failures that don’t impact financial reporting or accounting controls, according to a memo published by law firm Sullivan & Cromwell on Friday.
And the case also marks the second time in which the agency has used the provision to address a cybersecurity breach, the memo said. The first such action, against Austin, Texas-based software provider SolarWinds, is currently being litigated in the U.S. District Court for the Southern District of New York.
“Given the pending challenge in the SolarWinds case to the SEC’s expansive interpretation of its jurisdiction under Section 13(b)(2)(B), it remains to be seen whether the SEC’s use of the provision to penalize companies victimized by cybercrime will withstand judicial scrutiny,” the memo said.
The SEC over the last few years has been sharpening its cybersecurity enforcement and regulatory focus.
In October, the commission sued SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. SolarWinds was also accused of violating reporting and internal controls provisions of the Exchange Act. The company has denied the charges.
Meanwhile, last December, the agency began enforcing new rules that require public companies to disclose “material” cybersecurity incidents within four days of determining that it is a material breach. The rules build on prior agency guidance. At the time, Erik Gerding, director of the SEC’s Division of Corporation Finance, said the agency wasn’t seeking to “prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy.”
The SEC’s latest action is in direct conflict with Gerding’s statement, according to a Thursday blog post published by Debevoise & Plimpton.
The SEC’s interpretation of Section 13(b)(2)(B) in the case puts the agency in the position of “basically judging or second-guessing the strength and adequacy of a company’s cybersecurity controls,” Mark Schonfeld, a litigation partner at law firm Gibson, Dunn & Crutcher, said in an interview.
“I think there’s certainly the question as to whether this is what Congress intended by internal accounting controls,” he said.
Another reason the case is problematic is that it creates regulatory uncertainty, according to Schonfeld.
“This enforcement action doesn’t really provide any guidance as to what constitutes an adequate set of cybersecurity controls,” he said.
Under section 13(b)(2)(B), public companies must devise and maintain a system of internal accounting controls sufficient to provide “reasonable assurances” that access to company assets is permitted “only in accordance with management’s general or specific authorization.”
Based on the SEC’s reading of the statute, the agency can punish any company that is the victim of a cybercrime, according to Nicole Friedlander, a partner at Sullivan & Cromwell’s Criminal Defense and Investigations Group and co-head of its cybersecurity practice.
“The SEC is saying that assets are anything the company owns or possesses, including a computer system,” Friedlander said in an interview. “And so, if anybody touches those things without management authorizing them to, then the SEC can say the company has violated federal securities laws.”
R.R. Donnelley failed to execute a timely response to a ransomware attack that occurred between Nov. 29 and Dec. 23 of 2021, according to a commission order resolving the case.
The threat actor was able to use “deceptive hacking techniques” to install encryption software on certain R.R. Donnelley computers and exfiltrated 70 gigabytes of data, including data belonging to 29 of the company’s 22,000 clients, some of which contained personal identification and financial information, the order said.
However, the company’s investigation uncovered no evidence that the threat actor accessed financial systems and corporate financial and accounting data.
According to the commission’s order, R.R. Donnelley failed to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure.
The company also failed to “reasonably design and maintain internal controls that complied with Exchange Act Section 13(b)(2)(B),” the SEC said. Specifically, the company’s cybersecurity alert review and incident response policies and procedures “failed to adequately establish a prioritization scheme and to provide clear guidance to internal and external personnel on procedures for responding to incidents,” the agency said.
“The Commission instituted this enforcement action because RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient,” Jorge Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, said in a press release. “RRD did, however, cooperate with our investigation in a meaningful way, and that is reflected in the terms of this settlement.”
Without admitting to or denying the SEC’s findings, R.R. Donnelley agreed to pay the $2.1 million civil penalty and to cease and desist from violating Section 13(b)(2)(B) of the Exchange Act as well as Exchange Act Rule 13a-15a, which requires public companies to maintain disclosure controls and procedures.
The SEC’s two Republican commissioners, Hester Peirce and Mark Uyeda, issued a joint dissenting statement objecting to the agency’s action.
“The Commission’s order faulting RRD’s internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii),” the commissioners said.
A broad interpretation of the provision to cover computer systems “gives the Commission a hook to regulate public companies’ cybersecurity practices,” they said.
A spokesperson for the SEC declined to comment. R.R. Donnelley didn’t immediately respond to a request for comment.