Two recent enforcement actions — one in Australia, the other in the United States — demonstrate regulators’ growing appetite for penalising companies that leave themselves open to cyberattack.
Most boards recognise that attempted cyberattacks on their corporation’s data and IT systems are inevitable. In FY22–23, a cyberattack was reported through the Australian government’s ReportCyber portal every six minutes. The attackers — or “threat actors” in the increasingly militarised jargon of cybersecurity — range from aggrieved insiders, to individual criminals and organised criminal gangs, to quasi-state and state actors. These categories can blur and the attackers’ motives can differ. Often, demand (as distinct from sleeper) attacks involve holding access to key IT systems, or protected data including intellectual property, commercially sensitive information, or clients’ private information, to ransom.
The harms a successful cyberattack can inflict on the corporation are obvious. They include the costs of mitigating the effects of the hack and managing the fallout, including loss of trust. And because an attack can have significant flow-on harms for others, the political and regulatory pressure on corporations to adopt sufficient cybersecurity measures is significant.
Two recent regulatory actions — involving RR Donnelley & Sons Company (RRD) in the US and Medibank Private Ltd (Medibank) in Australia — show how closely regulators’ attention is focused on those measures.
RRD proceeding
The administrative proceeding against RRD in the US Securities and Exchange Commission (SEC) arose out of a serious ransomware attack in 2021. RRD is a marketing business that was listed on Nasdaq. The SEC noted the critical importance of cybersecurity to the company, given its business of “storing and transmitting large amounts of data, including sensitive data” supplied by its clients.
In November 2021, RRD’s internal intrusion detection systems began issuing alerts about malware in the RRD network. These were visible to its internal cybersecurity team and to its externally managed security services provider (MSSP). RRD “reviewed the escalated alerts but, in partial reliance on its MSSP, did not take the infected instances off the network”.
The SEC also alleged that RRD “failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, until 23 December 2021”.
During those critical weeks, “the threat actor was able to install encryption software on certain RRD computers (mostly virtual machines) and exfiltrated 70 gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients”.
The SEC brought enforcement action against RRD for breaches of US securities laws, including s13(b)(2)(B) of the Securities Exchange Act 1934, which requires issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances... that access to company assets is permitted only in accordance with management’s general or specific authorisation”.
The SEC said the control failure lay in RRD’s cyber incident response policies and procedures and its processes for reviewing alerts for potentially malicious cyber activity. These “failed to adequately establish a prioritisation scheme and to provide clear guidance to internal and external personnel on procedures for responding to incidents”. The SEC also said that RRD “failed to establish sufficient internal controls to oversee its third party-managed security services provider’s review and escalation of the alerts”.
In June 2024, RRD agreed to settle with the SEC, without admitting fault, by paying a civil penalty of US$2.125m and agreeing to upgrade its cybersecurity technology and processes.
Dissenting view
The SEC’s proceeding against RRD is controversial in the US because of the SEC’s reliance on the section of the Exchange Act that deals with internal accounting controls. Two SEC commissioners dissented, taking the view the section does not extend to failures of other controls (such as cybersecurity, legal or compliance controls) that are not related to accounting controls. In a dissenting statement, the two commissioners said, “Eliding the distinction between administrative controls and accounting controls has utility for the commission. As this proceeding illustrates, a broad interpretation of s13(b)(2)(B)(iii) to cover computer systems gives the commission a hook to regulate public companies’ cybersecurity practices”. They also expressed concern the SEC was seeking “to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack”.
After RRD settled, the SEC’s expansive interpretation of the internal accounting controls provision was successfully challenged in the U.S. District Court for the Southern District of New York, in its case against SolarWinds Corporation.
Medibank proceeding
Although constructed differently, there are factual similarities between the RRD proceeding and the Federal Court action against Medibank that the Australian Information Commissioner (AIC) commenced in June. Both concern alleged failures to implement adequate cybersecurity controls.
The Medibank action concerns a 2022 cyberattack and is based on privacy laws. The AIC alleges that, between March 2021 and October 2022, Medibank “seriously, further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals... whose personal information it held... by failing to take reasonable steps to protect that personal information from misuse, and/or from unauthorised access or disclosure”.
The AIC’s concise statement of claim specifies 11 measures it says Medibank should have taken in 2021–22 to protect its clients’ information. The reasonableness of these measures is said to be, “informed by various cybersecurity and information security standards and frameworks which existed during the relevant period”, including the ISO 27000 series, and guidelines produced by the Australian Cyber Security Centre, Australian Signals Directorate and APRA. Medibank intends to defend the proceedings.
The AIC case against Medibank, like the RRD action in the US, shows the willingness of regulators to challenge the adequacy of cybersecurity measures when a corporation is the victim of a cyberattack. Directors need to factor this development — and the lessons from these and similar cases — into oversight of this increasingly central aspect of risk management.
Dr Pamela Hanrahan is an Emerita Professor of the University of NSW and a consultant at Johnson Winter Slattery.
This article first appeared under the headline 'Due Cyber Diligence’ in the August 2024 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content