On June 18, the Securities and Exchange Commission charged R.R. Donnelley & Sons Co. (RRD), a global provider of business communication and marketing services, with internal control and disclosure control violations stemming from a 2021 ransomware attack on the company. According to the Commission’s administrative order, RRD failed to devise and maintain “cybersecurity-related internal accounting controls” sufficient to provide reasonable assurance that access to RRD’s assets (i.e., its information technology systems and networks) was permitted only in accordance with management authorization. Applying the Foreign Corrupt Practices Act requirement that companies maintain internal accounting controls to cybersecurity practices is novel, and two Commissioners issued a statement asserting that the Commission was “stretch[ing] the law to punish a company that was the victim of a cyberattack” and “distorting a statutory provision.”
The Commission’s Order
The Commission finds that RRD’s information technology network regularly stored and transmitted confidential data and personal identifying information belonging to its clients. RRD maintained intrusion detection systems that generated alerts that were reviewed initially by a third-party managed security services provider (the “MSSP”). After its initial review, the MSSP would escalate certain alerts to RRD’s cybersecurity personnel, and both RRD’s personnel and the MSSP would handle response and remediation. According to the SEC, this process was flawed in several respects.
RRD did not reasonably manage the MSSP’s allocation of resources.
RRD failed to establish a sufficient prioritization scheme for review and escalation of alerts.
RRD did not have sufficient procedures to audit or otherwise oversee the MSSP to confirm that the MSSP’s work was consistent with RRD’s instructions.
RRD staff that reviewed escalated alerts had other significant responsibilities and insufficient time to dedicate to escalated alerts and general threat-hunting.
RRD’s internal policies failed to sufficiently identify lines of responsibility, set clear criteria for alert and incident prioritization, and establish clear workflows for response and reporting.
Between November 29 and December 23, 2021, RRD experienced a ransomware network intrusion. Alerts from RRD's internal systems and the MSSP indicated malware activity and a phishing campaign. Despite these alerts, RRD did not take action to isolate the infected computers or to investigate further. The MSSP also reviewed, but did not escalate, at least 20 other alerts related to the same activity, including malware on multiple computers and a compromised domain controller server. The attacker used deceptive techniques to install encryption software and exfiltrated 70 GB of data, affecting 29 of RRD's 22,000 clients.
RRD began responding to the attack on December 23, 2021, after a company with shared access to RRD’s network alerted RRD’s Chief Information Security Officer to anomalous internet activity from RRD’s network. RRD then initiated a rapid response, shutting down servers and notifying clients and authorities. RRD issued public statements regarding the attack starting December 27, 2021.
Based on these facts, the SEC found that RRD committed two violations.
Internal accounting controls. Securities Exchange Act Section 13(b)(2)(B) requires public companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance, among other things, that access to company assets is permitted only in accordance with management’s general or specific authorization. RRD violated Section 13(b)(2)(B) in that its cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and to provide clear guidance on procedures for responding to incidents. In addition, RRD failed to establish sufficient internal controls to oversee the MSSP’s review and escalation of the alerts. As a result, during the 2021 ransomware incident, RRD’s external and internal security personnel failed to adequately review these alerts and take adequate investigative and remedial measures.
Disclosure controls. Securities Exchange Act Rule 13a-15 requires public companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed under the Act is recorded, processed, summarized, and reported within the required period. RRD violated Rule 13a-15 in that its cybersecurity procedures and controls were not designed to ensure that all relevant information relating to alerts and incidents was reported to RRD’s disclosure decision-makers promptly and did not provide guidance on the personnel responsible for reporting such information to management. As a result, RRD failed to adequately assess information regarding the ransomware intrusion from a disclosure perspective.
Without admitting or denying the Commission’s findings, RRD consented to an order requiring it to cease and desist from further violations of these provisions and to pay a $2.125 million civil penalty.
Statement of Commissioners Peirce and Uyeda
Commissioners Peirce and Uyeda issued a statement, Hey, look, there’s a hoof clear! Statement on R.R. Donnelley & Sons, Co., critical of the internal accounting control charge in the RRD order, which they characterize as “break[ing] new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).” They examine the history of Section 13(b)(2) and conclude that the clause regarding access to assets only in accordance with management’s authorization does not encompass all corporate assets, but only those that are the subject of corporate transactions.
“While RRD’s computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions. At most, computer systems process transactions in corporate assets, but the internal accounting controls are concerned with the use and disposition of the corporate assets themselves. The controls associated with the means of processing transactions in corporate assets are more appropriately categorized as administrative controls involving management decisions prior to authorizing transactions.
“* * * By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the Commission’s Order ignores the distinction between internal accounting controls and broader administrative controls. This distinction, however, is essential to understanding and upholding the proper limits of Section 13(b)(2)(B)’s requirements.”
Commissioners Peirce and Uyeda see the RRD order as opening the door to the Commission dictating public company security practices. “As this proceeding illustrates, a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices. Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation.”
Audit Committee Takeaways
The RRD case illustrates the broad potential scope of the internal accounting control provisions of the Foreign Corrupt Practices Act and the Commission’s ability to use those provisions to regulate cybersecurity (and other) corporate administrative and managerial practices. The case is also a reminder of the Commission’s increasing reliance on the disclosure controls requirement in Rule 13a-15 to bring enforcement actions in which it is dissatisfied with the speed at which a company considered a potential disclosure issue, even if it does not charge a disclosure violation. See The SEC is Zeroing in on Disclosure Controls, April 2023 Update.
Audit committees (particularly those with responsibility for cybersecurity oversight) may want to use the RRD case as an opportunity to discuss with the CISO or other relevant members of management whether the company’s cybersecurity procedures could be viewed as having any of the same flaws as the SEC identified at RRD. For example, committees and management may want to review the oversight of any third-party service providers involved in evaluating and responding to cybersecurity incidents, including lines of communication with company staff and decision protocols under which service providers operate. The adequacy of company staffing, relative to the number of alerts and threats the company receives, is also an issue that should be revisited periodically. Finally, it is important to ensure that the cybersecurity staff has a clear understanding of the criteria under which it should bring alerts or cyber incidents to the attention of those charged with making decisions regarding public disclosure.
Comments