Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.
As we have noted before, the Commission in recent years has taken to treating Exchange Act Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent.[1] Identifying a link between the Commission’s preferred policies and procedures and accounting controls seems a collateral concern, if it is a concern at all. In today’s settled administrative proceeding against R.R. Donnelly & Sons, Co. (“RRD”),[2] the Commission finds and uses a novel attachment on its multi-use tool—“a system of cybersecurity-related internal accounting controls.”
Understanding the particulars of RRD’s alleged violation of Section 13(b)(2)(B) requires careful parsing of the Order Instituting Proceedings. RRD was the victim of a cyberattack. For a period of approximately four weeks in 2021, a “threat actor was able to utilize deceptive hacking techniques to install encryption software on certain RRD computers (mostly virtual machines) and exfiltrated 70 Gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.” On December 23, “a company with shared access to RRD’s network alerted RRD’s Chief Information Security Officer [“CISO”] about potential anomalous internet activity emanating from RRD’s network,” and RRD “began actively responding to the attack.” Importantly, RRD’s investigation into the incident “uncovered no evidence that the threat actor accessed RRD’s financial systems and corporate financial and accounting data.”
The Order notes that RRD did have an “internal intrusion detection system” that, as early as November 29, “began issuing alerts . . . about certain malware in the RRD network” that were “visible” to both RRD and its third-party managed security services provider (“MSSP”). The MSSP sent three of the alerts to RRD personnel who reviewed them, “but, in partial reliance on its MSSP, did not take the infected instances off the network and [RRD] failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, before December 23, 2021.” The MSSP also failed to escalate to RRD at least 20 other alerts related to the same activity. Although RRD’s controls detected possible intrusions, according to the Order, the internal accounting controls nonetheless were deficient because “RRD’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and to provide clear guidance to internal and external personnel on procedures for responding to incidents.” This lack of an adequate “prioritization scheme” and “clear guidance . . . for responding to incidents” meant that “RRD’s external and internal security personnel failed to adequately review these alerts [generated by the intrusion detection system]” and that RRD in consequence failed to “take adequate investigative and remedial measures” until after the CISO was alerted by an outside company. The delayed response created by RRD’s inadequate policies and procedures “was exploited by hackers” who accessed RRD’s computer systems and exfiltrated client data. From these findings, the Order concludes that RRD violated Section 13(b)(2)(B)(iii)’s requirement that it “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that . . . (iii) access to assets is permitted only in accordance with management’s general or specific authorization.”[3]
The Order states that the “assets” that were accessed were RRD’s “information technology systems and networks,” which does not fit the category of assets captured by Section 13(b)(2)(B). The computer systems, while an RRD asset in a broad sense, are not an asset of the type covered by Section 13(b)(2)(B)’s internal accounting controls provisions. To explain why requires some discussion of the source and function of the Foreign Corrupt Practices Act’s internal accounting controls provision.
Section 13(b)(2)(B) originates with American Institute of Certified Public Accountants (“AICPA”) Statement on Auditing Standards No. 1 (“SAS”).[4] The SAS explains that, in the context of internal accounting controls, the “safeguarding of assets refers only to protection against loss arising from intentional and unintentional errors in processing transactions and handling the related assets.”[5] The specific objectives codified in Section 13(b)(2)(B) come from a section of the auditing standards that were adopted to clarify what internal accounting controls that safeguard assets means “in relation to the functions involved in the flow of transactions.”[6] To that end, the SAS explained that transactions “include exchanges of assets or services” and “[t]he primary functions involved in the flow of transactions and related assets include the authorization, execution, and recording of transactions and the accountability for resulting assets.”[7] Authorization for transactions, in turn, “refers to management’s decision to exchange, transfer, or use assets for specified purposes under specified conditions,”[8] and the related “accountability function follows assets from the time of their acquisition in one transaction until their disposition or use in another.”[9]
After setting out the functions involved and the meaning of the terms used, the SAS then defines two distinct, chronological categories of controls: administrative controls and accounting controls. Administrative controls precede accounting controls and include “the plan of organization and the procedures and records that are concerned with the decision processes leading to management’s authorization of transactions.”[10] Accounting controls, in contrast, focus on the transactions themselves and “are concerned with the safeguarding of assets and the reliability of financial records.”[11] To that end, the SAS sets out four objectives for effective internal accounting controls: “to provide reasonable assurances that:
- Transactions are executed in accordance with management’s general or specific authorization.
- Transactions are recorded as necessary (1) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements and (2) to maintain accountability for assets.
- Access to assets is permitted only in accordance with management’s authorization.
- The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”[12]
The SAS’s focus on creating and maintaining an accurate accounting for the use and disposition of assets in transactions makes clear that the objective of permitting “access to assets . . . only in accordance with management’s authorization” is concerned not with all corporate assets, but rather with assets of a particular character—those that are the subject of corporate transactions.
The asset at issue in the Order—RRD’s computer systems—does not have that essential characteristic. While RRD’s computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions. At most, computer systems process transactions in corporate assets, but the internal accounting controls are concerned with the use and disposition of the corporate assets themselves. The controls associated with the means of processing transactions in corporate assets are more appropriately categorized as administrative controls involving management’s decisions prior to authorizing transactions.
The Commission’s 2018 report related to the intersection of cybersecurity and internal accounting controls is consistent with this essential distinction between categories of administrative controls and internal accounting controls.[13] For example, one of the schemes involved “using spoofed email domains and addresses” to entice “the companies’ finance personnel to cause large wire transfers to foreign bank accounts controlled by the perpetrators.”[14] In another scheme, “[a]fter hacking the existing vendors’ email accounts, the perpetrators inserted [an] illegitimate request for payments (and payment processing details) into electronic communications” and sent the issuer “doctored invoices [that] reflected the new, fraudulent account information.”[15] As a result, the issuer “made payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors.”[16] The common thread in the schemes is that they involved access to corporate cash. The internal accounting controls were deficient not because the payment processing systems were the means to execute transactions disposing of corporate assets; the internal accounting controls were deficient because outside actors were able to access the corporate cash through fraudulent transactions. In other words, the payment processing systems implicitly were understood to be distinct from the cash itself, and the internal accounting controls were those controls directly related to the transactions that ended in the disbursement of cash.[17]
The Commission’s order faulting RRD’s internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii). By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the Commission’s Order ignores the distinction between internal accounting controls and broader administrative controls. This distinction, however, is essential to understanding and upholding the proper limits of Section 13(b)(2)(B)’s requirements.
Eliding the distinction between administrative controls and accounting controls has utility for the Commission. As this proceeding illustrates, a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices. Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation. The Commission’s assurances in connection with the recent cyber-disclosure rulemaking ring untrue if the Commission plans to dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool. Also concerning is the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.
[1] Statement of Commissioners Hester M. Peirce and Mark T. Uyeda, The SEC’s Swiss Army Statute: Statement on Charter Communications, Inc. (Nov. 14, 2023), available at https://www.sec.gov/news/statement/peirce-uyeda-statement-charter-communications-111423; see also Statement of Commissioners Hester M. Peirce and Elad L. Roisman—Andeavor, LLC (Nov. 13, 2020), available athttps://www.sec.gov/news/public-statement/peirce-roisman-andeavor-2020-11-13. There are now versions of the Swiss Army Knife lacking any blades at all. Faith Bottum, What do you Call a Knife Without a Blade?, Wall Street Journal (May 31, 2024), available at https://www.wsj.com/articles/what-do-you-call-a-knife-without-a-blade-swiss-army-knife-80e581a4. One wonders whether a hoof cleaner counts as a blade.
[2] R.R. Donnelley & Sons, Co., Rel. No. 34-100365, (June 18, 2024), available at https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf.
[3] Securities Exchange Act of 1934, Section 13(b)(2)(B)(iii); 15U.S.C.§78m(b)(2)(B)(ii)-(iii).
[4] Compare AICPA Statement on Auditing Standards No.1, § 320.28 (1973) and Foreign Corrupt Practices Act of 1977, Pub. L. No. 95-213, § 102, 91 Stat. 1494 (1977); see also Staff of S.Comm. on Banking, Housing and Urban Affairs, 94th Cong., Rep. of the Securities and Exchange Commission on Questionable and Illegal Corporate Payments and Practices 59 (Comm. Print 1976) (stating that “the Commission has taken the definition” of a system of internal accounting controls “from the authoritative accounting literature” and citing AICPA’s Statement on Auditing Standards No. 1, § 320.28 (1973)); S. Rep. No. 95-114, at 8 (1977) (“Because the accounting profession has defined the objectives of a system of accounting control, the definition of the objectives contained in this subparagraph is taken from the authoritative accounting literature. See American Institute of Certified Public Accountants, Statement on Auditing Standards No. 1, 320.28 (1973).”)
[5] AICPA Statement on Auditing Standards No. 1, § 320.15 (1973) (setting out one of three possible interpretations of “safeguarding assets” for purposes of internal accounting controls); id. §320.19 (explaining the interpretation in § 320.15 was the correct one).
[6] Id. § 320.19; cf. id. § 320.28 (defining “Accounting control” as “the plan of organization and
the procedures and records that are concerned with the safeguarding of assets and the reliability of financial records”).
[7] Id. § 320.20.
[8] Id. § 320.21.
[9] Id. § 320.25.
[10] Id. § 320.27.
[11] Id. § 320.28.
[12] Id. (emphasis added); compare Securities Exchange Act of 1934, Section 13(b)(2)(B)(ii)-(iii), 15U.S.C.§ 78m(b)(2)(B)(ii)-(iii), requiring issuers to “(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—(i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”
[13] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated against Public Companies and Related Accounting Controls Requirements, Rel. No. 34-84429, 2018 WL 10691368 (Oct. 16, 2018).
[14] Certain Cyber-Related Frauds, 2018 WL 10691368 at *2 (emphasis added).
[15] Id. at *3.
[16] Id. (emphasis added).
[17] The Report’s examples of specific failings illustrate this by, for example, noting that one “accounting employee who received a spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires,” and that another “accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO.” Id. at *5. The Report’s description of the appropriate remedial steps taken by the issuers reinforces the tight link between the disbursement of cash and the internal accounting controls. For example, the report noted that “after falling victim to these frauds, each of the issuers sought to enhance their payment authorization procedures, and verification requirements for vendor information changes,” and that other “issuers took steps to bolster their account reconciliation procedures and outgoing payment notification processes to aid detection of payments resulting from fraud.” Id. at *4. Both the specific failings and remedial steps relate to controls directly around the execution of transactions using corporate assets, as opposed to policies and procedures related to creating and accessing the payment processing system.
Last Reviewed or Updated: June 18, 2024