Imagine a company coughing up millions of dollars of shareholder money to settle an SEC enforcement action based, in part, on an enforcement theory that a federal court a mere 30 days later concluded was incorrect.
As highlighted in this prior post, on June 18, 2024 the SEC announced that R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, agreed to pay over $2.1 million to settle disclosure and internal control failure charges relating to cybersecurity incidents and alerts in late 2021.
Under the heading “RRD’s Failure to Maintain Sufficient Internal Accounting Controls and Disclosure Controls and Procedures,” the order stated in pertinent part:
“RRD failed to reasonably design and maintain internal controls that complied with [the FCPA’s internal controls provisions]. Namely, as discussed above, RRD’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and to provide clear guidance to internal and external personnel on procedures for responding to incidents. In addition, RRD failed to establish sufficient internal controls to oversee the MSSP’s review and escalation of the alerts.
During the 2021 ransomware incident, RRD’s failure to design and maintain internal controls sufficient to provide reasonable assurances that access to RRD’s assets was permitted only with management’s authorization was exploited by hackers. While RRD’s internal systems began issuing alerts on the first day of the compromise, approximately three weeks before any encryption and exfiltration of data took place, RRD’s external and internal security personnel failed to adequately review these alerts and take adequate investigative and remedial measures until a company with shared access to RRD’s network notified RRD about anomalous internet traffic on December 23, 2021.”
Based on the above, the order found that RRD violated, among other things, the FCPA’s internal controls provisions.
The June 18, 2024 SEC enforcement action against RRD was a virtual carbon copy of the October 30, 2023 SEC enforcement action against SolarWinds Corporation (a Texas-based software company) and its chief information security officer (Timothy Brown) for disclosure and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. (See here for the prior post).
The SEC’s complaint against SolarWinds alleged regarding internal controls:
“As an Exchange Act Section 13(a) reporting company, SolarWinds was required to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that…access to assets is permitted only in accordance with management’s general or specific authorization.” In that regard, SolarWinds was required to develop reasonable safeguards against unauthorized access to Company assets by designing and maintaining reasonable controls to prevent and detect unauthorized access to, or use of, its assets.
SolarWinds’ information technology network environment, source code, and products were among the Company’s most critical assets. As discussed above, Orion [a software platform] was among SolarWinds’ “crown jewel” assets. SolarWinds’ Code of Conduct also described the Company’s software code and information technology infrastructure among its most important assets and emphasized employees’ responsibility to protect such information. In its October 18, 2018 Form S-1, SolarWinds stressed the importance of its “technology infrastructure to sell [its] products and operate [its] business” as well as its customers’ reliance on SolarWinds’ technology to manage their own information technology infrastructure.
SolarWinds assessed the effectiveness of its internal controls using the framework in Internal Control – Integrated Framework issued in 2013 by the Committee of Sponsoring Organization of the Treadway Commission (“COSO Framework”). For cybersecurity controls, the COSO Framework requires an organization to select and develop internal control activities over technology that are designed and implemented to restrict technology access rights to authorized users and to protect the entity’s assets from external threats.
Under the COSO Framework, SolarWinds chose to use the NIST Framework [National Institute of Standards and Technology Cybersecurity Framework] … conduct assessments. As discussed above, SolarWinds admitted in internal documents that it had no program or practice in place for a majority of the controls in the NIST Framework, and had assessed itself to be performing poorly on multiple critical controls.
As a result of the above shortcomings to SolarWinds’ cybersecurity controls, the Company failed to devise and maintain a system of internal controls sufficient to provide reasonable assurance that access to the Company’s assets was only in accordance with management’s general or specific authorization.
Unlike most issuers subject to SEC scrutiny, SolarWinds mounted a legal defense and filed a motion to dismiss – a motion that was pending on June 18th when RRD resolved its SEC enforcement action.
As highlighted in this recent post – a mere 30 days after RRD resolved its SEC enforcement action based, in part, on the SEC’s expansive internal controls theory of enforcement, a court dismissed the SEC’s similar internal controls charge against SolarWinds.
In short, the court found it “not tenable” that the internal controls provisions covered SolarWind’s cybersecurity controls.
The court stated:
“The text [of the internal controls provisions] … defeats the SEC’s attempt to apply this provision to cybersecurity controls. And there is no evidence of any other sort that Congress intended its reference to “a system of internal accounting controls” to reach cybersecurity controls.
[…]
The history and purpose of the statute confirm that cybersecurity controls are outside the scope of Section 13(b)(2)(B). Sections 13(b)(2)(A) and 13(b)(2)(B) were enacted as part of the 1977 Foreign Corrupt Practices Act (“FCP A”), amending the 1934 Securities Exchange Act, In re Yesner, 2001 WL 587989, at *33, and together are referred to as the “accounting provisions,” Foreign Corrupt Practices Act of 1977, Statement of Policy, 21 SEC Docket 1466, 1468 (Jan. 29, 1981). The FCPA was passed in response to “a pattern of questionable payments to foreign government officers by prominent American corporations.” Id. The accounting provisions were enacted “to assure books and records accurately and fairly reflected transactions and the disposition of assets, to protect the integrity of the independent audit, and to promote reliability and completeness of financial information that is disseminated to investors.” In re Yesner, CPA, 2001 WL 587989, at *31. And with regard to Section 13(b)(2)(B) in particular, Congress’s explicit purpose, as codified in the text, was to “provide reasonable assurances that, among other things, transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles or any other applicable criteria.” S. Rep. No. 95-114 at 7 (1977) (emphasis added). Indeed, Congress recognized that because “the accounting profession has defined the objectives of a system of accounting control, the definition of the objectives contained in this subparagraph is taken from the authoritative accounting literature.” Id. (citing American Institute of Certified Public Accountants, Statement on Auditing Standards No. I, 320.28 (1973)) (emphasis added).
To that end, these provisions require public companies, in addition to filing with the SEC annual and quarterly reports containing detailed financial information, to put in place systems to ensure that the information reported is accurate and complete. Section 13(b)(2)(A) regulates financial recordkeeping. It requires public companies to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of [their] assets.” And Section 13(b)(2)(B), at issue here, requires issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” that assets are safeguarded from unauthorized use, that corporate transactions conform to managerial authorizations, and that records are accurate. As evinced by the broader statutory scheme, the internal accounting controls identified in Section 13(b )(2)(B) thus are intended to provide extra assurance of the accuracy and completeness of the financial information on which the issuer’s annual and quarterly reports rely.
To state the obvious, cybersecurity controls are not-and could not have been expected to be-part of the apparatus necessary to the production of accurate such reports. The Court therefore dismisses the AC’s internal accounting control claim against SolarWinds for failure to state a claim.”
Both SolarWinds and RRD faced nearly identical SEC enforcement theories concerning the internal controls provisions.
One choice to fight and won and one choose to settle.
Both decisions (presumably made by the board of directors and/or audit committees of the companies as advised by outside counsel) are presumably protected by the business judgment rule.
But which decision was best?
RRD spent $2.1 million dollars of shareholder money to settle an enforcement action based in part on an enforcement rejected by a federal court a short time later.
Challenging the SEC’s enforcement theory obviously was not a cost free exercise for SolarWinds and the company may have exceeded $2.1 million in attorneys fees given the briefing in the case.
This much is probably true though.
No other company likely will benefit from RRD’s risk averse decision to resolve an SEC enforcement action based on a dubious enforcement theory.
Whereas, other companies will likely benefit from SolarWind’s decision to contest the SEC’s theory of enforcement and the court’s conclusion. But then again, one non-binding federal court decision (on a relative issue of first impression) will likely not cause the SEC to back off its dubious enforcement theory because – after all – the SEC can rightly assert that another company agreed to resolve a matter based on the same enforcement theory.
The post Pity R.R. Donnelley & Sons? appeared first on FCPA Professor.
