The SEC and cybersecurity internal controls cases: R.R. Donnelley and SolarWinds
The SEC settled with R.R. Donnelley and thought it could use the same tactics on SolarWinds. Former SEC professionals say this was a mistake. I agree, but not for the reasons they think it's bad law.
In this newsletter I’m going to talk about some of the SEC “internal controls” cases, in particular the cybersecurity disclosure cases that former SEC enforcement professionals who attended the Securities Enforcement Forum on November 6 in Washington D.C. said they did not like — and believe will not be repeated in a Trump SEC.
********************************************************************************************************
But first I want to let everyone reading know that the subscription cost for The Dig will be going up on January 1, 2025. This is the first time since I began producing paid newsletters that I am raising the price.
I want to be able to spend more time on the work that paid subscribers are looking for — detailed analyses of accounting and audit issues for specific companies and insight into regulatory activities affecting the Big 4 global public accounting firms. I would also like to incentivize annual subscriptions so that I can count on your support throughout the year.
I will continue to honor the $25 per month/ $300 annual rate until December 31, 2024. If you start a new subscription or renew your subscription before midnight ET December 31, 2024, you will be locked into the current rate for the next 12 months.
Beginning January 1, 2025, paid subscriptions will be $360 annually, a ~15% discount from the new $35 per month cost if subscribing on a monthly basis.
Group annual subscriptions, subscriptions for two or more paid at same time, will receive a 20% discount.
Although I will continue to provide some free newsletters, and in most cases a free preview of paid newsletters, my work will be focused on the kind of details that take time and money to produce. All newsletters are locked for paid subscribers only after three months, so access to the archive of evergreen reporting requires a paid subscription.
Let me remind you of some of my most evergreen— and popular— original reporting since January 1, 2020.
All of these newsletters require a paid subscription to read.
******************************************************************************************************
And, now, more about the Securities Enforcement Conference on November 6 in Washington D.C. and, in particular, participants’ remarks about R.R. Donnelley and SolarWinds.
In the first panel of the day on November 6, 2024, Alec Koch of King & Spalding moderated a roster of key players to talk about, “The SEC’s Role in Cybersecurity—Rulemaking, Enforcement, and Coordination With the DOJ and Other Regulators.”
First up was Melissa Hodgman, Associate Director in the Division of Enforcement who’s been at the regulator since 2008. Hodgman began by reminding attendees of the four-day rule and the rationale for it:
Once you have determined, and you cannot have an unreasonable delay in your determination that there has been a material cyber event, you have four days to disclose information into the marketplace. And the hope there was not to create a additional victims.
One of the things that we were seeing that I think helped generate this rule was people were delaying reporting. And their customers, their investors, and others were becoming victims in the process. And, also, the SEC didn't have the information it needed. We see across the market. We get information from multiple parties. Sometimes we're able to find a pattern and prevent things. We're able to figure out who's engaging in behavior and actually get money back or stop the flow of funds. So the information is absolutely key and the timeliness of it is absolutely key.
There was a lot of talk about materiality.
Hodgman explains that the materiality standard the cybersecurity rule uses is Basic v. Levinson.
It isn't something that I think should be hard for us to apply at this point in time, any harder than it is to always apply materiality, which is one of the challenges that we'll have. But this isn't a “gotcha” rule. This is intended for people to work with us. It's similar to what we have with regard to our SCI entities. And so we do have a lot of experience with this.
What is Basic v. Levinson and what are the “SCI” entities she is referring to?
Basic, Inc. v. Levinson, 485 U.S. 224 (1988) held, among other things, that “the standard set forth in TSC Industries, Inc. v. Northway, Inc., 426 U. S. 438, whereby an omitted fact is material if there is a substantial likelihood that its disclosure would have been considered significant by a reasonable investor, is expressly adopted for the § 10(b) and Rule 10b-5 context. Pp. 485 U. S. 230-232.”
Regulation Systems Compliance and Integrity (SCI), was adopted in 2014 as the set of rules intended to help address technological vulnerabilities in the U.S. securities markets and improve SEC oversight of the core technology of key U.S. securities markets entities (SCI entities).
After the paywall, I’ll say more about materiality and about why the critics of these enforcement actions may be right but they’re right for the wrong reasons.