On June 18, 2024, R.R. Donnelley & Sons Co. (RRD) settled a $2.125 million SEC administrative enforcement action based on RRD’s alleged failure to design effective disclosure controls and procedures as required by Securities Exchange Act of 1934 (“Exchange Act”) Rule 13a-15(a). The SEC also alleged that RRD violated Exchange Act Section 13(b)(2)(B), a statute that requires public companies to devise and maintain “a system of internal accounting controls” that prohibit access to a company’s “assets” without authorization by management. According to the SEC, RRD’s alleged failure to maintain adequate cybersecurity controls over its information technology systems and networks, which contained sensitive business and client data, violated this statute. SEC Commissioners Hester Peirce and Mark Uyeda dissented to the application of Section 13(b)(2)(B) to non-accounting controls, consistent with their November 2023 dissent in the SEC’s settlement with Charter Communications relating to stock buybacks and Rule 10b5-1 trading plans.
Between November and December 2021, RRD suffered a ransomware network intrusion. RRD’s intrusion detection system issued alerts, which were reviewed by RRD’s third-party managed security services provider (MSSP). MSSP escalated some, but not all, alerts to RRD’s internal security personnel beginning on November 29, 2021. While RRD reviewed these escalated alerts, it did not take infected systems off the network and failed to conduct an investigation until December 23, 2021. During this period, MSSP also reviewed, but did not escalate to RRD’s internal security personnel, at least 20 alerts relating to the same malware being installed or executed on multiple other computers across the network.
RRD began responding to the attack on December 23, 2021, after its Chief Information Security Officer was notified of anomalous internet activity by an unidentified company with shared access to RRD’s network. Four days later, RRD self-reported the incident to the SEC and then filed a Form 8-K. In total, the threat actor exfiltrated 70 GB of data belonging to RRD’s clients, including personal identification and financial information. RRD uncovered no evidence that the threat actor accessed RRD’s financial systems or corporate financial or accounting data.
In deciding to bring Section 13(b)(2)(B) charges, the SEC alleged that RRD’s cybersecurity alert review and incident response policies did not adequately establish prioritization schemes or provide clear guidance on how to review and respond to cybersecurity incidents to internal and external personnel. The order noted how RRD security personnel “failed to adequately review [] alerts and take adequate investigative and remedial measures,” and that RRD staff tasked with reviewing and responding to escalated alerts had “significant other responsibilities, leaving insufficient time to dedicate to the escalated alerts and general threat-hunting.” The SEC’s press release credited RRD’s “meaningful cooperation that helped expedite the staff’s investigation” and voluntary adoption of “new cybersecurity technology and controls,” as factors resulting in the $2.125 million civil penalty.
In a dissenting statement of the RRD order, Commissioners Peirce and Uyeda expressed concerns about the SEC’s use of Section 13(b)(2)(B) as a tool to enforce cybersecurity-related internal accounting controls. Commissioner Peirce asserted that “computer systems,” while technically assets insofar as they are corporate property, are not the types of assets covered by Section 13(b)(2)(B)’s internal accounting controls provisions because “computer systems” are not the subject of corporate transactions. She emphasized that the Commission’s role with respect to public companies’ activities, including cybersecurity, is limited and cautioned against agency overreach by eroding the distinction between internal accounting controls and administrative controls more broadly.