July 8, 2024
Enforcement: Did the SEC Get it Right in RR Donnelley & Sons?
The SEC’s recent enforcement action against RR Donnelley & Sons is the latest in a series of proceedings in which the agency has broadly interpreted the scope of the Exchange Act’s internal controls provisions. That approach has been sharply criticized by dissenting commissioners and by outside commenters, but in a recent “Radical Compliance” blog, Matt Kelly entertains the possibility that the SEC’s view of the world may be right.
Matt points out that Section 13(b)(2)(B) of the Exchange Act requires companies to maintain internal accounting controls “sufficient to provide reasonable assurances” that, among other things, access to assets is permitted only according to management authorization. He notes that in this enforcement proceeding, the SEC is taking a provision intended to apply to accounting fraud and applying it to cybersecurity – but as he explains in this excerpt, this isn’t necessarily an unreasonable position:
Is it really proper for the SEC to use its books-and-records provision in that manner? Honestly, I dunno. On one hand, we should remember that no actual fraud happened at Donnelley. No transactions were improperly recorded. The company didn’t even suffer a loss of data, since the data was only copied.
On the other hand, Donnelley was locked out of important IT systems. For example, some customers couldn’t receive documentation vital to vendor payments and disbursement checks. If this cyber attack happened in the real world, it would be akin to hooligans strolling into your building, changing the locks to the accounting department, and demanding millions if you want to get the set of new keys. A company that let something like that happen would certainly seem inept to most reasonable investors.
Critics of the SEC (and lord knows there are plenty around) would say the Donnelley case is a novel interpretation of anti-fraud rules, with the SEC basically nosing its way into cybersecurity regulation. That seems outside the SEC’s swim lane.
Then again, suppose those hackers had exploited sloppy cybersecurity controls to steal money from Donnelley rather than copying data, and then covered their tracks by altering the finance department’s banking records. (A frighteningly easy thing to do, by the way.) Few people would fault the SEC for raking Donnelley over the coals then. So why does this case feel a bit weird now, when money wasn’t stolen?
Matt suggests that we step back and look at the big picture – as technology has advanced, the controls required for strong financial reporting and those required for strong cybersecurity are converging into a single system focusing on access control. In this new reality, it’s essential to have strong controls to prevent unauthorized access to IT systems, rather than the historical norm of controls governing access to the accounting department and its physical books and records.
– John Jenkins