Internal Accounting Controls and Cyber Risk

Today I want to return to that recent enforcement action against RR Donnelley, where the Securities and Exchange Commission cited faulty internal accounting controls at Donnelley as grounds to impose a $2.1 million sanction over the company’s poor handling of a cybersecurity incident. What are internal control professionals supposed to make of an enforcement action like that? 

This has been on my mind because (1) internal accounting controls are quite the versatile vehicle for SEC enforcement; and (2) companies now suffer cybersecurity incidents all the time. Taken together, they raise the question of how much more robust a company’s cybersecurity controls need to be if you want to avoid an SEC enforcement action akin to what Donnelley just suffered. 

First, a recap of what actually happened at Donnelley. As described in the SEC settlement order, Donnelley suffered a ransomware attack in late November 2021. A cybersecurity vendor that Donnelley used to monitor for such attacks did alert the company that one was underway, but Donnelley’s own IT security team didn’t give the attack much attention for nearly a month. Instead, Donnelley only swung into action when another business alerted Donnelley’s CISO directly about the attack. By then the damage had been done, with Donnelley customer data copied and posted to the dark web.

The SEC brought civil enforcement against Donnelley on two fronts. First, it faulted Donnelley for poor disclosure controls, that low-level employees trying to respond to the attack hadn’t alerted more senior executives to the severity of the attack; so those senior executives couldn’t provide accurate disclosure to investors. We explored the disclosure controls angle of the case in a previous post

Second, however, the SEC also faulted Donnelley for “failing to devise and maintain a system of cybersecurity-related internal accounting controls” to protect access to Donnelley’s IT systems. We need to pull on that thread. 

The Specific Internal Control Violation

Go back to the previous paragraph about Donnelley failing to devise and maintain a system of cybersecurity controls. The full sentence in the SEC settlement order says that Donnelley… 

failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets — its information technology systems and networks, which contained sensitive business and client data — was permitted only with management’s authorization.

The statutory authority for that statement flows from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws we use today. The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization;
  • Transactions are recorded properly;
  • Access to assets is permitted only according to management authorization;
  • Recorded accountability for assets is reconciled with existing assets.

That third bullet point is the one relevant to Donnelley and us today. The SEC is taking a fine point of securities law originally intended for accounting fraud and applying it to cybersecurity.

Is it really proper for the SEC to use its books-and-records provision in that manner? Honestly, I dunno. On one hand, we should remember that no actual fraud happened at Donnelley. No transactions were improperly recorded. The company didn’t even suffer a loss of data, since the data was only copied. 

On the other hand, Donnelley was locked out of important IT systems. For example, some customers couldn’t receive documentation vital to vendor payments and disbursement checks. If this cyber attack happened in the real world, it would be akin to hooligans strolling into your building, changing the locks to the accounting department, and demanding millions if you want to get the set of new keys. A company that let something like that happen would certainly seem inept to most reasonable investors.

Critics of the SEC (and lord knows there are plenty around) would say the Donnelley case is a novel interpretation of anti-fraud rules, with the SEC basically nosing its way into cybersecurity regulation. That seems outside the SEC’s swim lane.

Then again, suppose those hackers had exploited sloppy cybersecurity controls to steal money from Donnelley rather than copying data, and then covered their tracks by altering the finance department’s banking records. (A frighteningly easy thing to do, by the way.) Few people would fault the SEC for raking Donnelley over the coals then. So why does this case feel a bit weird now, when money wasn’t stolen? 

A Convergence of Internal Controls

Let’s step back and appreciate what’s happening here at a larger scale, thanks to advances in technology: the controls necessary for strong financial reporting and those necessary for strong cybersecurity are converging into a single system of internal control.

The name of the newly converged game is access control. You need strong controls to govern access to IT systems, rather than the historical norm of controls to govern access to the accounting department and actual, physical books and records. 

That idea seems straightforward in the abstract, but in practice it opens the door to enforcement actions like what we see with Donnelley. It also takes us to some strange places as we ponder internal control design and the role of the cybersecurity team. 

For example, not only will you need user-level access controls such as multi-factor authentication and role-based access, so that only accounting employees can access accounting systems. You’ll also need system-level IT general controls such as constant vulnerability scans, automated patch management, strong incident response plans, and de-commissioning of unused IT equipment.

So how does the cybersecurity team participate in all that? Does the CISO now have veto control over your company’s financial technology? Does the internal audit team go on a hiring spree of IT auditors, to audit cyber controls? Can they redesign financial processes, roles, and reporting, even against the accounting and finance teams’ wishes? 

Moreover, go back to that Exchange Act definition of internal controls, which should provide “reasonable assurance.” The statute then goes on to define what reasonable assurance means: “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”

Well, once you’ve suffered a cyber attack, wouldn’t you want a higher level of detail and degree of assurance to satisfy your prudent self? Because now you know that you’re vulnerable to an attack, and you can’t un-know that fact. So how will that common-sense standard color the SEC’s thinking about your internal accounting-turned-cyber controls, and whether they were sufficiently strong? 

This post is long enough for today, but clearly internal audit, internal control, and cybersecurity teams have a lot to consider here. The SEC is raising the bar for effective cybersecurity and incident response, under the guise of internal accounting controls. 

I don’t know whether that’s good or bad, but I do know you can’t unring that bell. 

Leave a Comment

You must be logged in to post a comment.