Last week R.R. Donnelley (RRD) and the SEC reached a $2.125M settlement on issues related to a December 2021 cybersecurity incident. Coming after Solarwinds and being a resolved issue has led to less cybersecurity industry angst about the SEC’s RRD complaint than the Solarwinds complaint. This is wrong as the RRD complaint is much more disturbing.

The Solarwinds complaint was primarily about the company’s, allegedly, misleading statements to investors.

SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices.

And the complaint highlighed in bold in the first paragraph of the summary:

(Tim) Brown wrote in an internal presentation that Solarwinds’ “current state of security leaves us in a very vulnerable state for our critical assets”.

There are many examples throughout the complaint where internal statements about the state of cybersecurity varied from the external statements. Some are easily dismissed as low level gossip, but others, like the example above, are serious statements to executives.

I’ve been less panicked than others about the impact of the SEC’s Solarwinds’ complaint on CISOs and cybersecurity. In other corporate areas there has long been an understanding that internal and external/investor communications need to be concordant.

You can’t tell the board you have a major cash reserves issue and tell the SEC and investors cash reserves are fine. You can’t tell the board that your manufacturing lines will be down for 6 months due to supply chain issues and tell the SEC / investors there will be no impact due to supply chain issues. It’s well past time that cybersecurity disclosure issues be held to the same standard.

(Detour: this typically only becomes an SEC issue when investors lose money. Then someone doing, or not doing, something in the company is to blame. Matt Levine of Bloomberg has an ongoing “everything is securities fraud” riff on this.)

The RRD / SEC settlement is not related to misleading investors. It is the SEC saying RRD’s security controls were insufficient. RRD chose not to fight this. Probably a wise action as a $2.125M settlement is relatively small and puts the issue behind them.

The SEC has the authority to require public companies have sufficient internal accounting controls. This settlement uses, and introduced at least to me, the term “cybersecurity-related internal accounting controls”.

The idea that the SEC is going to regulate the required cybersecurity controls is a much greater concern to CISOs and other executives, the security groups, and the company. It likely means that any time there is a cyber incident that the company could be found to have some deficiency in their cybersecurity program and be subject to a complaint and fine, and possibly other actions.

Are cybersecurity controls really internal accounting controls? It would be hard to find anyone in cybersecurity who believes this. My guess is almost all of accounting / finance would also not consider cybersecurity controls internal accounting controls.

I’m not a lawyer, but … I wonder if the US Supreme Court’s Chevron doctrine ruling last week will have an effect on this latest SEC regulatory grab. Not the Solarwinds misleading investors issue, but the idea that internal accounting controls include cybersecurity controls.

Prior to the ruling the courts would defer to the agency’s, the SEC, interpretation of a statute. In this case that cybersecurity controls fall under SEC’s regulatory purview. This deference is gone. Will we see this interpretation come before the courts?