Making the Connection – What Do Recent SEC Enforcement Actions Mean for Cyber Controls?
- Meredith Cross, Lillian Brown
- 8.9.2024
On July 18, 2024, the U.S. District Court for the Southern District of New York dismissed most of the claims brought by the Securities and Exchange Commission (the “Commission”) against SolarWinds Corp. and its Chief Information Security Officer in SEC v. SolarWinds Corp. et al. in connection with the SUNBURST attack. Among other things, the decision provides important perspective to the debate regarding whether controls associated with cybersecurity matters are covered by the internal accounting controls provisions of Section 13(b)(2)(B) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). The court's dismissal in SolarWinds follows in sharp contrast to the Commission's June 18, 2024 settlement with R.R. Donnelley & Sons Company relating to cybersecurity incidents, including violations of Section 13(b)(2)(B) with regard to internal accounting controls, and Exchange Act Rule 13a-15(a) with regard to disclosure controls and procedures (“DCP”).
This alert explores these recent developments, beginning with a refresher on the elements of DCP, internal accounting controls, and internal control over financial reporting, analyzes those requirements in light of recent Commission enforcement and judicial actions, and concludes with some practical considerations for issuers.
