SEC Breaks New Ground with Cybersecurity Enforcement Case

R.R. Donnelly & Sons Co. doesn’t seem like the type of company that’s likely to make waves. Once the world’s largest commercial printer, Chicago-based RRD boasts that it has “the industry’s most trusted portfolio of marketing, packaging, print and supply chain solutions.” But the company, which was acquired by Chatham Asset Management and taken private in 2022, may now become the poster child for a new approach to securities law enforcement.

Last month, the Securities and Exchange Commission announced a settlement with RRD over charges of disclosure and internal control failures stemming from cybersecurity incidents and alerts in 2021 when it was still traded on the New York Stock Exchange. According to the SEC, “RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions and failed to carefully assess and respond to alerts of unusual activity in a timely manner.” Moreover, the SEC said RRD “failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.” The company agreed to pay a civil penalty of $2.1 million to settle the charges.

Observers were less interested in the specifics of the case and instead zeroed in on how the SEC justified the charges against RRD: The agency found the company violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934.

Section 13(b)(2)(B) has come to be seen as a catch-all statute for securities regulation, and commentators appeared to align in agreement that the SEC was staking out new territory with this latest move. For example, in an analysis of what they called an “unprecedented settlement,” lawyers at Debevoise & Plimpton said it represented “a striking expansion of the SEC’s view of its oversight authority relating to public company cybersecurity policies and procedures.” In doing so, the Commission has set out to “bring charges outside the accounting context for which this statutory provision was arguably intended,” they said.

In customary fashion, SEC commissioners Hester M. Peirce and Mark T. Uyeda voiced similar concerns about the enforcement action against RRD, albeit in more pointed fashion. “While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack,” the pair wrote in a statement.

The Republican appointees already spoke out last year about the SEC using Section 13(b)(2)(B) as the equivalent of a Swiss Army Knife for enforcement, a charge they reiterated in their analysis of the RRD case. Last time, Peirce and Uyeda were commenting on a case involving stock buyback plans. The fact that the latest application involves cybersecurity, a wholly disparate area of corporate governance, will only fuel more concerns about overreach.

***

The Intelligize blog is on hiatus for the Independence Day holiday and will return on Tuesday, July 9, 2024