June 20, 2024
In another extension of the internal accounting controls provisions of the securities laws, this week the Securities and Exchange Commission (the “Commission” or “SEC”) announced a settled enforcement action with a public company victimized by a ransomware attack (the “Company”) for violations of Section 13(b)(2)(B) of the Exchange Act and Exchange Rule 13a-15(a). According to the Commission’s order, the Company’s response to the late-2021 cyber incident showed that it had failed to (1) devise and maintain a sufficient “system of cybersecurity-related internal accounting controls” sufficient to provide reasonable assurances that access to its IT systems was only permitted with management’s authorization, in violation of Section 13(b)(2)(B); and (2) design effective disclosure controls and procedures for cybersecurity risks and incidents, in violation of Rule 13a-15(a). As part of the settlement, the Company agreed to pay a $2.125 million civil penalty, an amount which, according to the SEC’s announcement, took into account the Company’s “meaningful cooperation that helped expedite the staff’s investigation” and their voluntary adoption of “new cybersecurity technology and controls.”
The settlement is notable in two key respects:
The order reflects an aggressive stance by the Commission as to the scope of its authority and is an articulation of its belief that it can use authorities relating to internal accounting controls—namely Section 13(b)(2)(B) of the Securities Exchange Act—to regulate public companies’ cyber-related procedures (including vendor management and incident response) even in the absence of unauthorized access to a company’s financial or accounting systems.
The order was accompanied by a strongly-worded dissent from Commissioners Hester Peirce and Mark Uyeda, challenging this expansive interpretation of the SEC’s authority. Commissioners Peirce and Uyeda accused the Commission of “stretch[ing] the law” and “distort[ing]” the internal accounting controls provision to regulate public companies’ cybersecurity practices—including deeming any departure from what the Commission deems appropriate policies to be an internal accounting controls violation.
Background
For a period of approximately four weeks in 2021, the Company was the victim of a ransomware incident during which a threat actor was able to exfiltrate data belonging to 29 of the Company’s clients, including data containing personal identification and financial information. Notably, the investigation into the incident uncovered no evidence that financial systems or corporate financial and accounting data were accessed. The Company’s internal intrusion detection system began issuing alerts on the day the attack commenced, and the third-party managed security services provider (“MSSP”) tasked with reviewing these alerts escalated three of these alerts to the Company. The MSSP also reviewed, but did not escalate, at least 20 other alerts. In its escalation, the MSSP noted that there were indications that similar activity was taking place on multiple computers, that there were connections to a broad phishing campaign, and that the malware appeared capable of facilitating remote execution of arbitrary code. Personnel at the Company reviewed the escalated alerts but, in partial reliance on its MSSP, did not conduct its own investigation of the activity or remove infected instances off the network. The Company did not actively respond to the cyber-attack until it was alerted by another company with shared access to the Company’s network several weeks later. The Company then promptly undertook an extensive response operation, notified government agencies and clients, and issued public disclosures.
A novel and expansive interpretation of internal accounting controls in the cybersecurity context
The Commission’s order for the first time applies an already expansive view of internal accounting controls to the cybersecurity context. Specifically, Section 13(b)(2)(B)(iii) requires issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that . . .access to assets is permitted only in accordance with management’s general or specific authorization.” In the order, the Commission found that the Company failed to devise and maintain “a system of cybersecurity-related internal accounting controls” sufficient to provide reasonable assurances that access to its “information technology systems and networks” was only permitted with management’s authorization. Asserting that information technology systems and networks are “assets” is a novel and an expansive interpretation of Section 13(b)(2)(B)(iii).
As noted in the dissent, this interpretation of what constitutes an “asset” “breaks new ground,” and there are arguments that this expansion runs contrary to the statutory language and policy. Commissioners Peirce and Uyeda noted that computer systems do not “fit the category of assets captured by Section 13(b)(2)(B)” because they “are not the subject of corporate transactions,” and that expanding the definition of “assets” in this way “ignores the distinction between internal accounting controls and broader administrative controls.” Notably, the Commission concluded that the computer systems at issue were “assets” despite the fact that the Company’s investigation into the incident “uncovered no evidence that the threat actor accessed the Company’s financial systems and corporate financial and accounting data.”
While the Commission has taken an increasing interest in cybersecurity incidents, almost all of its recent cybersecurity enforcement efforts have focused on companies’ disclosures (or lack thereof) of cybersecurity incidents. For example, in 2023, the SEC announced a $3M settlement with a South Carolina-based software company impacted in a 2020 ransomware attack. The SEC alleged that the company violated its “obligation to provide [] investors with accurate and timely material information” by making inaccurate disclosures about the types of information affected by the ransomware attack, even after company personnel learned “that its earlier public statements about the attack were erroneous.”
Similarly, in 2021, the SEC brought a settled enforcement action against a London-based public company finding that it misled investors about a cyber intrusion involving the theft of millions of student records. That action came on the heels of two similar enforcement actions in 2018 and 2019. Notably, the SEC did not bring any of these enforcement actions under Section 13(b)(2)(B) of the Exchange Act. Rather, all three of these actions alleged violations in line with more established SEC legal enforcement theories, namely that the companies in question had violated provisions of the Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, which prohibits material misrepresentations in the offer or sale of securities, and Section 13(a) of the Exchange Act, which requires companies to file complete and accurate annual and quarterly reports with the Commission.
This latest action departs from the traditional disclosure-related theories that have underpinned these and other previous settlements related to cyber incidents, and instead extends the internal controls provisions of the Exchange Act to a company’s IT systems, as well as related cybersecurity policies and procedures. This expansive view of “accounting controls” in Section 13(b)(2)(B) represents yet a further extension of the Commission’s use of this provision to resolve financial reporting and disclosure cases (over the objection of Commissioners Peirce and Uyeda):
What constitutes “sufficient” controls?
Despite finding fault with several aspects of the Company’s controls, the Commission did not provide guidance to companies seeking to ensure that their cybersecurity controls are sufficient to the Commission. In the settlement, the Commission alleged the following shortcomings:
Disclosure controls and procedures
The Commission’s order also found that “[d]espite the importance of data integrity and confidentiality” to the Company, the Company failed to design effective disclosure-related controls and procedures around cybersecurity incidents to “ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure.” According to the order, the Company’s processes did not provide for how cyber-related incidents should be communicated to the Company’s “disclosure decision-makers” in a timely manner. As a result, the cyber incident was not adequately assessed from a disclosure perspective.
Practical implications
The Commission’s use of Section 13(b)(2)(B) of the Exchange Act to regulate public companies’ cyber-related procedures (including vendor management and incident response), even in the absence of unauthorized access to a company’s financial or accounting systems, suggests that public companies who are victims of cyber incidents may face further scrutiny from the Commission in the future.
As a practical matter, the lack of guidance from the SEC as to what they would find to be “reasonable” or “appropriate” presents significant challenges for companies looking to learn from this settlement and respond to the SEC’s expectations. This is perhaps a natural consequence of the SEC’s extension of Section 13(b)(2)(B) to a wholly unrelated area, as the letter of the law does not provide any guidance. Nonetheless, looking at the SEC’s area of focus in this settlement, companies can:
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation, Securities Enforcement, or Securities Regulation & Corporate Governance practice groups:
Privacy, Cybersecurity and Data Innovation:
Ahmed Baladi – Paris (+33 (0) 1 56 43 13 00, [email protected])
S. Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Sophie C. Rohnke – Dallas (+1 214.698.3344, [email protected])
Securities Enforcement:
Tina Samanta – New York (+1 212.351.2469, [email protected])
Mark K. Schonfeld – New York (+1 212.351.2433, [email protected])
David Woodcock – Dallas/Washington, D.C. (+1 214.698.3211, [email protected])
Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
James J. Moloney – Orange County (+1 1149.451.4343, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Michael Scanlon – Washington, D.C.(+1 202.887.3668, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.