SEC’s ‘Swiss Army’ Accounting Law Tested by Cyber Breach Charges

Wall Street’s top regulator is putting a new spin on a decades-old rule designed to root out accounting fraud, leaving public companies and their attorneys wondering how far the rules extend.

R.R. Donnelley & Sons Co. agreed last month to pay $2.1 million to settle Securities and Exchange Commission charges that the marketing and printing company violated disclosure and internal accounting control rules stemming from a 2021 cybersecurity breach.

The settlement, which comes amid heightened SEC focus on cybersecurity, represents a new—and expansive—take on the accounting control provisions. The regulator included a similar accounting charge in its high-profile suit against SolarWinds Corp., and a federal judge in Manhattan is poised to weigh in on the SEC’s approach.

Applying the accounting rules to a cyber hack is an “incredibly slippery slope,” Hilgers Graben PLLC partner Scott Mascianica said.

“Clearly in the cybersecurity realm it’s fraught with peril for all issuers who are the victim of any hack,” Mascianica, a former SEC lawyer, said. “But you could extrapolate it to a whole host of things.”

Redefining ‘Asset’

The Foreign Corrupt Practices Act—a 1970s law that makes it a crime to offer anything of value to non-US officials to win business—requires that companies have internal controls sufficient to, among other things, ensure assets are accessed only with management’s authorization.

Chicago-based R.R. Donnelley was the subject of an SEC investigation after a late 2021 ransomware attack. While data belonging to 29 company clients was exposed, an internal investigation found no evidence that financial or accounting data were compromised, according to the SEC order.

Nonetheless, the agency said R.R. Donnelley’s internal controls weren’t sufficient to ensure that access to company assets—in this case, the company’s computer systems—was allowed only with management’s authorization.

Republican commissioners who dissented from the settlement said it broke new ground. They argued that IT networks don’t fit the kind of “asset” that is captured by the internal accounting controls rules.

“As this proceeding illustrates, a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices,” the commissioners said, referring to the accounting provisions in the Securities Exchange Act. “Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation.”

Expanding Scope

The SEC’s action against R.R. Donnelley is widely viewed as the latest step by the agency to expand the reach of those provisions outside traditional accounting controls.

Hester Peirce and Mark Uyeda, the dissenting Republican commissioners, traced the efforts to 2020 when oil refinery operator Andeavor LLC paid $20 million to settle SEC control provision charges related to a stock buyback plan. Charter Communications Inc. last year paid $25 million over similar charges related to its trading plans.

Peirce and Uyeda called the internal accounting control provisions the SEC’s “Swiss Army Statute.”

The SEC “seems to be trying to shoehorn different facts from what the provisions were intended into those holes,” Mascianica said.

While settlements don’t create binding legal precedent, they can signal an enforcement shift. The latest action raises questions about how far the SEC believes the reach of the internal accounting control provisions extend.

“What’s the outer limit?” Troy Paredes, a former Republican SEC commissioner, said in a webinar late last month.

If it takes several additional enforcement actions “to figure out what the full scope of the internal controls provision encompasses, that’s a pretty difficult circumstance for companies to be in,” Paredes added.

Cyber Focus

The SEC has ramped up its focus on cybersecurity, including finalizing rules last year that require public companies to report significant attacks within four days.

It has brought several cyber-related enforcement actions as well. Most so far have alleged companies failed to disclose a hack or disclosed it in a misleading way.

The SEC’s October suit against SolarWinds accused the IT firm of defrauding investors by downplaying security risks ahead of a hack of its software that rippled through computer systems across the country.

The most recent order creates a new atmosphere of risk for public companies, said Walker Newell, a former SEC attorney and current vice president of litigation and enforcement at Woodruff Sawyer, an insurance brokerage and consulting firm.

R.R. Donnelley was hit with charges even though it disclosed the breach to investors and there was no allegation in the order that it misled them.

“Donnelley is among the most aggressive SEC cases in the cyber space that we’ve seen, if not the most aggressive,” Newell said.

‘Live Issue’

The SEC’s decision to charge R.R. Donnelley with accounting violations is cause for concern for a broad universe of public companies, attorneys say.

“In a way it suggests that even if you get the disclosure right, the SEC enforcement may be focused on the underlying process, even where it doesn’t take issue with the ultimate output,” said Amy Jane Longo, a Ropes & Gray LLP partner and former SEC attorney.

The SEC’s reading of the internal control provisions is being tested.

One of the charges against SolarWinds is an internal accounting control violation. SolarWinds has asked that claim be dismissed, arguing in a court filing earlier this year that it “amounts to a wholesale rewriting of the law.”

The judge in the US District Court for the Southern District of New York overseeing the case heard arguments on SolarWinds’ dismissal bid in May. An eventual ruling is expected to provide some guidance on the interpretation of the internal accounting control provisions.

“It’s very much a live issue and one that I think is going to be contested as long as the current SEC continues to push these theories forward,” Newell said.