Navigating the New Frontier: SEC Enforcement Action Against RR Donnelley and Its Implications for Compliance | Thomas Fox – Compliance Evangelist

In the ever-evolving compliance landscape, the Securities and Exchange Commission’s (SEC) recent enforcement action against RR Donnelley is a significant case study. This incident underscores the importance of robust cybersecurity measures and highlights the SEC’s growing influence in areas traditionally considered outside its purview. As a compliance professional, understanding the intricacies of this case is critical to adapting to the dynamic regulatory environment. Matt Kelly and I took a deep dive into the enforcement action in a recent episode of Compliance into the Weeds.

RR Donnelley, a company formerly known for its printing services and later for marketing services, faced an enforcement action from the SEC in November 2021 due to a cybersecurity breach. Hackers accessed and copied the company’s confidential customer data, which was later published on the dark web. The SEC’s main allegation was that Donnelley failed to report this breach to investors in a timely manner and did not have sufficient internal controls over its IT systems. Ultimately, the company was fined $2.1 million.

The SEC’s enforcement action was based on the premise that Donnelley’s cybersecurity measures were inadequate, resulting in unauthorized access to its IT resources. Specifically, the SEC used internal control over financial reporting provisions to impose sanctions even though no direct accounting fraud or economic loss had occurred. This approach represents a novel application of the SEC’s authority to use internal accounting control provisions to address cybersecurity issues.

Matt believes the SEC’s enforcement was based on the idea that poor cybersecurity equates to poor internal controls over assets. The SEC interpreted the Exchange Act to mean that access to a company’s assets, whether data or financial, should be controlled and authorized by management. Matt noted in his blog post that the legal basis for this statement comes from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws in place today. The text of the Exchange Act states that companies must develop and maintain a system of internal accounting controls that are “sufficient to provide adequate assurances” on four counts:

• Transactions executed pursuant to management approval;
• Transactions are properly recorded;
• Access to assets is permitted only with the approval of management.
• The recorded assets are compared with the existing assets.

The hackers’ ability to access Donnelley’s IT systems without authorization was viewed as a failure of these internal controls.

This interpretation expands the scope of what compliance professionals must consider within internal controls. Traditionally, internal controls have been seen in the context of financial reporting and the protection of physical assets, most often cash or cash equivalents. However, these requirements apply not only to cash, but to all other assets of the company. Moreover, this case suggests that digital assets and the controls associated with them are equally important.

Another critical aspect of the case was that the breach was not reported promptly. According to the SEC, Donnelley’s IT security team was aware of the breach but did not immediately communicate it to senior management. It was only when an outside party reported it that the CISO and senior executives were fully aware and able to take action.

This scenario highlights the importance of having robust internal communication channels and protocols in place to ensure that significant cybersecurity incidents are promptly reported to senior management. In addition, it underscores the need for transparency with investors regarding such breaches, consistent with the SEC’s mandate to protect investor interests.

Compliance professionals today must view cybersecurity as an integral part of internal control systems. Ensuring the security of IT systems and strict control of access to digital assets should be a priority. This includes regular audits of cybersecurity measures, continuous monitoring of IT systems and the implementation of robust access control mechanisms.

The case also highlights the need for clear and effective disclosure practices. Compliance teams should ensure that there are clearly defined procedures in place to report cybersecurity incidents internally and disclose them to investors when necessary. This could include establishing rapid response teams and promptly notifying senior management of serious breaches.

Given the technical nature of cybersecurity, collaboration between compliance and IT departments is essential. Compliance officers should work closely with CISOs and IT security teams to understand potential risks and ensure appropriate controls are in place. This partnership is critical to developing a comprehensive compliance strategy that addresses traditional financial risks and new digital threats.

The SEC’s approach in this case demonstrates that regulators are willing to use existing frameworks to address new types of risks. Compliance professionals should prepare for increased scrutiny and be proactive in ensuring their organizations meet regulatory expectations. This may include regular training, staying up to date on regulatory changes, and conducting thorough risk assessments.

The RR Donnelley case is a wake-up call for compliance professionals, highlighting the need to adapt to an evolving regulatory landscape. By expanding the scope of internal controls to include cybersecurity and improving disclosure practices, compliance teams can better protect their organizations and meet regulatory expectations. Collaboration with IT and vigilance to regulatory trends will be critical to navigating this new frontier of compliance. Perhaps even more ominous is Matt’s question in another blog post about the United Healthcare cyberattack in Q1 2024: “If the SEC applied this enforcement theory against Donnelley, shouldn’t the same theory now be applied against UnitedHealth? At this point, we should discuss exactly how the breach at UnitedHealth occurred. Change Healthcare had failed to implement multi-factor authentication on a critical computer server, allowing attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control to a critical system.”

In other words, Watch this space.

(View source code.)