Vedder Price

Vedder Thinking | Articles SEC Settles Enforcement Proceedings Against Business for Allegedly Insufficient Internal Controls Relating to Cybersecurity Incident

Publication

Reader View

On June 18, 2024, the SEC announced the settlement of administrative proceedings brought against a marketing and business communications firm for alleged internal accounting control deficiencies that caused the firm’s failure to promptly respond to a ransomware attack that occurred between November 29, 2021 and December 23, 2021, and which involved the unauthorized encryption of the firm’s computers, exfiltration of firm and client data, and business service disruptions.  According to the order, the firm received and reviewed network intrusion alerts escalated to it by its third-party managed security services provider, but the firm’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and provide clear guidance to internal and external personnel on procedures for responding to such incidents. As a result, the firm did not take the malware-infected instances off its network, investigate the activity, or take other steps to prevent further network compromise until December 23, 2021. 

The SEC alleged that the firm “failed to design effective disclosure-related controls and procedures around cybersecurity incidents to ensure that relevant information was communicated to management to allow timely decisions regarding potentially required disclosure” and also “failed to reasonably design and maintain internal controls that complied with Section 13(b)(2)(B) of the Securities Exchange Act of 1934.”  The SEC found that the firm also violated Exchange Act Rule 13a-15(a), which requires issuers of securities (such as the firm) to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer is properly recorded, processed, summarized, and reported.

Without admitting or denying the SEC’s findings, the firm consented to cease and desist from future violations and to pay a civil monetary penalty of approximately $2.1 million. In agreeing to the settlement, the SEC considered the remedial acts promptly undertaken by the firm, including voluntarily adopting new cybersecurity technology and controls, and its cooperation with the SEC staff.  In response to this action, Commissioners Peirce and Uyeda issued a statement expressing their concerns over, among other things, the SEC’s use of Section 13(b)(2)(B) of the Exchange Act as a “Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent.”

The SEC’s order is available here, and a related press release is available here.



Professionals



Nathaniel Segal

Shareholder



Jacob C. Tiedt

Shareholder



Mark A. Quade

Shareholder



Jake W. Wiesen

Associate



Devin Eager

Associate