Would the SEC’s Cybersecurity Controls Claims against R.R. Donnelley Survive the District Court’s Analysis in Solar Winds?
No and yes? On July 18th, Judge Engelmayer in the Southern District of New York issued an opinion dismissing much of the SEC’s cybersecurity disclosure case against Solar Winds Corp. People are atwitter about what it all means. But we don’t have to just wonder. We can look at another of the SEC’s very recent cybersecurity cases and measure one against the other.
The Case against R.R. Donnelley & Sons Co.
We’re old enough to remember when, back on June 18th, the SEC brought a settled administrative case against R.R. Donnelley & Sons Co. (“RRD”) relating to “disclosure and internal control failure[s] . . . relating to cybersecurity incidents and alerts in late 2021.”
RRD had hired a cybersecurity firm, which the SEC awkwardly calls the “MSSP”, to handle these incidents. Hitting the highlights, the SEC says:
RRD “did not reasonably manage the firm’s allocation of resources to the task . . . [and] failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts.” Order at ¶ 6.
RRD did not allocate enough staff resources to reviewing and responding to escalated alerts. Order at ¶ 7.
RRD’s incident response policies failed to sufficiently:
identify lines of responsibility and authority,
set out clear criteria for alert and incident prioritization, and
establish clear workflows for alert review and incident response and reporting. Order at ¶ 9.
Once a ransomware intrusion did begin on November 29, 2021, the cybersecurity firm escalated alerts from RRD’s detection system but RRD “did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, before December 23, 2021.” Order at ¶ 11.
In the meantime, the attacker “was able to utilize deceptive hacking techniques to install encryption software on certain RRD computers (mostly virtual machines) and exfiltrated 70 Gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.” Order at ¶ 13.
RRD failed to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure. Order at ¶ 16.
And, “[d]uring the 2021 ransomware incident, RRD’s failure to design and maintain internal controls sufficient to provide reasonable assurances that access to RRD’s assets was permitted only with management’s authorization was exploited by hackers.” Order at ¶ 17.
All of this, the SEC said, amounted to violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15 regarding internal accounting controls and disclosure controls and procedures.
The Two-Commissioner Dissent
SEC Commissioners Mark Uyeda and Hester Peirce did not agree! They published a Statement (we’ll call it a dissent) arguing that the Commission’s interpretation of Section 13(b)(2)(B) simply missed the mark. That provision says, among other things, that issuers must:
(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that ...
(iii) access to assets is permitted only in accordance with management’s general or specific authorization .... (emphasis added)
But what were the assets at issue here? In Paragraph 1 of the Order, the SEC said it was RRD’s “information technology systems and networks, which contained sensitive business and client data.” Their dissent said that RRD’s “computer systems, while an . . . asset in a broad sense, are not an asset of the type covered by Section 13(b)(2)(B)’s internal accounting controls provisions.” They reached back to the subsection’s roots in AICPA Statement on Auditing Standards No. 1, which says that the “specific objectives codified in Section 13(b)(2)(B) come from a section of the auditing standards that were adopted to clarify what internal accounting controls that safeguard assets means ‘in relation to the functions involved in the flow of transactions.’ ”
For the dissent, the gist was this:
While RRD’s computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions. At most, computer systems process transactions in corporate assets, but the internal accounting controls are concerned with the use and disposition of the corporate assets themselves. The controls associated with the means of processing transactions in corporate assets are more appropriately categorized as administrative controls involving management’s decisions prior to authorizing transactions.
So if RRD sold widgets, it would have to have internal accounting controls to track the sale of the widgets and when the company recognized revenue from the widgets, etc. For Section 13(b)(2)(B) purposes, the widgets are the assets. The computers used to run the business wouldn’t be “assets” in the same way.
Solar Winds
Meanwhile, the SEC filed its much broader cybersecurity case against Solar Winds Corporation and its Chief Information Security Officer last October in the Southern District of New York. That matter included fraud charges but also alleged corporate violations of Section 13(b)(2)(B) and Rule 13a-15.
Section 13(b)(2)(B)
On July 18th, the District Court issued an order largely granting the defendants’ motion to dismiss. In their motion, the defendants argued that an issuer’s “system of internal accounting controls” could not reasonably be interpreted to cover a company’s cybersecurity controls such as its password and VPN protocols. The court said Solar Winds was “clearly correct”.
Essentially no part of the court’s Section 13(b)(2)(B) analysis worked out in the SEC’s favor.
The plain meaning of “internal accounting controls” just didn’t extend to cybersecurity controls. Opinion at 95-96.
Dictionary definitions? Accounting ≠ cybersecurity. Op. at 96.
Court decisions? The court cited the Seventh Circuit, the Northern District of Georgia, and even one of the SEC’s own ALJs to note that those forums have described internal accounting controls as being designed to ensure the accuracy of financial reporting. Op. at 97-98.
The court even nodded to Uyeda’s and Peirce’s dissent by citing Section 13(b)(2)(B)’s legislative history, which said its objectives were taken from the authoritative accounting literature. Op. at 101 (emphasis in original).
Over 107 pages, you can imagine the court might have been thinking of what the consequences of a contrary decision might be, and it did not disappoint:
The SEC’s rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications. It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers. That construction – and those outcomes –cannot be squared with the statutory text.
Op. at 100.
Could anyone reasonably think the SEC’s claims against R.R. Donnelley as to Section 13(b)(2)(B) would have survived this treatment? We just don’t see how.
Rule 13a-15
This rule requires companies to “maintain disclosure controls and procedures” that are “designed to ensure that information required to be disclosed by an issuer . . . is accumulated and communicated to the issuer's management . . . to allow timely decisions regarding required disclosure.”
In Solar Winds, the SEC alleged that the company misclassified two cybersecurity incidents as level “0” when they should have been labeled level “2”, which would have brought them to the attention of the company’s CEO and CTO. The SEC had also cited a VPN vulnerability it had identified but failed to elevate to the company’s top management.
The court noted two reasons the allegations under Rule 13a-15 failed, one of which is most applicable to R.R. Donnelley. Simply, Solar Winds had a system to facilitate the disclosure of potentially material cybersecurity risks and incidents, and the SEC did not allege that the system was inherently flawed. As the court put it, “The SEC didn’t plead any deficiency in the construction of this system. On the contrary, as pled, the [system] as designed was capable of ‘ensur[ing] that information required to be disclosed ... is recorded, processed, summarized and reported’ within a reasonable time.” It just pled that the two incidents were wrongly classified. But “errors happen without systemic deficiencies.” Op. at 104.
In the R.R. Donnelley order, the SEC’s factual allegations as related to Rule 13a-15 culminated in this:
While RRD’s internal systems began issuing alerts on the first day of the compromise, approximately three weeks before any encryption and exfiltration of data took place, RRD’s external and internal security personnel failed to adequately review these alerts and take adequate investigative and remedial measures until a company with shared access to RRD’s network notified RRD about anomalous internet traffic on December 23, 2021.
Order at ¶ 17.
The SEC actually might have a stronger 13a-15 claim against R.R. Donnelley than it did against Solar Winds. The Solar Winds claim under that rule rested on three discrete incidents, and only those three. In RRD, the company also had a system. In fact, its internal detection systems were throwing “a significant number of alerts each month.” Order at ¶ 5. They also had a third-party cybersecurity firm to help them deal with these alerts and escalate the bad ones. But . . . the SEC also alleges that RRD didn’t sufficiently:
devote resources to the system or its escalated alerts; Order at ¶ 6
identify lines of responsibility and authority as to those alerts;
set out clear criteria for alert and incident prioritization; or
establish clear workflows for alert review and incident response and reporting. Order at ¶ 9.
These problems seem, um, systemic. We can’t think of a better word. If you have a system but then starve it of resources and let it be hobbled by these issues, maybe you don’t actually have “disclosure controls and procedures” that are reasonably designed under the Solar Winds analysis.
Anyway, Judge Engelmayer’s analysis is quite thorough. And he isn’t a lightweight, to say the least. If the SEC brings other cases along these lines, other courts will look to his Solar Winds opinion for guidance even if it doesn’t have precedential effect.
Links
R.R. Donnelley Administrative Order
Uyeda/Peirce Statement on R.R. Donnelley