TheCorporateCounsel.net

On Tuesday, the SEC announced an enforcement action against RR Donnelley & Sons arising out of alleged disclosure and internal controls violations associated with a series of cyber incidents occurring in November and December 2021 that resulted in a hacker obtaining information belonging to 29 of the company’s clients. This excerpt from the SEC’s press release explains the basis for the action:

According to the SEC’s order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security. However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner.

The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.

Under the terms of the SEC’s order in the case, the company consented, on a neither admit nor deny basis, to the entry of a C&D enjoining future violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a). In addition, the company agreed to pay a civil monetary penalty of $2.125 million.

In a dissenting statement, Commissioners Peirce and Uyeda again challenged the SEC’s use of Section 13(b)(2)(B) in a setting not involving accounting controls:

The Commission’s order faulting RRD’s internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii). By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the Commission’s Order ignores the distinction between internal accounting controls and broader administrative controls. This distinction, however, is essential to understanding and upholding the proper limits of Section 13(b)(2)(B)’s requirements.

If this objection to an expansive interpretation of Section 13(b)(2)(B) sounds familiar, that’s because it’s one that these same two commissioners raised in response to two prior enforcement actions – the SEC’s 2020 enforcement action against Andeavor and its 2024 enforcement action against Charter Communications.

– John Jenkins