SEC continues to make cyber moves: RR Donnelly settles with SEC for USD2.1 million for control failure charges relating to cyber incidents

Published Date

Jun 24, 2024

Related people

On June 18, 2024, the SEC issued a significant fine to a regulated entity following a 2021 ransomware attack, indicating the agency is taking its authority as a cyber enforcer seriously. The action is the latest in a string of enforcement around its new rules on cyber risk management.

The Securities and Exchange Commission (“SEC”) announced that R.R. Donnelley & Sons Company (“RRD”) was ordered to pay over $2.1 million following the SEC’s investigation into RRD’s 2021 cybersecurity incident. See the SEC’s full order here.

Incident Background

RRD is a Chicago-based company that provides communications services and marketing solutions globally. Like many organizations, RRD engaged a third party managed services provider (“MSSP”) to assist with information security management. Essentially, when RRD’s internal systems detected unusual or potentially malicious activity, the systems would generate an alert which was visible to both the MSSP and RRD. The MSSP would do a first level review and escalate alerts to RRD’s cybersecurity team where necessary. The goal behind these systems is to automate and manage false alarms, easy to triage pings, and easy to contain malware. The division of labor alleviates the burden on internal resources, especially where cyber expertise is in short supply, and uses programmatic tools to manage cyber risk.

In November 2021 the MSSP received and reviewed over 20 alerts from RRD’s intrusion detection systems. Three of these alerts were escalated to RRD and all alerts were visible to RRD’s cybersecurity team. The escalated alerts stated that the intrusion detection systems identified suspicious activity throughout RRD’s network connected to a potential phishing campaign. Despite the alerts, RRD did not investigate the incident or take further containment actions.

Finally, on December 23, 2021, RRD began to respond to the attack in earnest. By that point, a threat actor had exfiltrated 70 Gigabytes of data belonging to 29 RRD clients. The stolen data included personal information, including some financial details.

The SEC’s Order

The SEC found that despite the alerts and warnings from the MSSP, RRD failed to take the impacted systems offline and to conduct an investigation of the activity or otherwise contain the incident in a timely manner. The SEC also found RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management and specifically to maintain sufficient procedures to oversee the MSSP.

In its order, the SEC explained that RRD’s actions, or lack thereof, violated section 13(b)(2)(B) of the Securities and Exchange Act, which requires issuers to “device and maintain a system of internal accounting controls sufficient to provide reasonable assurances”, including assurances that access to assets is permitted only in accordance with management’s general or specific authorization. It also violated Exchange Act Rule 13a-15a, which requires covered issuers to maintain disclosure controls and procedures.

In addition to the fine, RRD agreed to cease and desist from violating the provisions. Of note, the SEC highlighted that RRD cooperated in the investigation, which, it suggested, played a role in the SEC mitigating the final order.

Takeaways

The basis of the SEC’s order focused on RRD’s approach to cyber risk management, rather than the specifics of how it stored customer data on its networks or other technical aspects of the ransomware incident. Particularly, the SEC took issue with the insufficient oversight of MSSP in terms of its review and escalation of the alerts. Further, the SEC found that RRD did not reasonably manage the MSSP’s allocation of resources to evaluate and escalate alerts as necessary. Finally, RRD’s internal policies with respect to reviewing alerts and escalating to those with decision-making authority were not sufficient to respond to incidents.

Ultimately, as opposed to a focus on technical or safeguarding failures, which have previously been the focus of federal investigations, we can expect the SEC to take on a more active role in investigating and reaching settlement orders with issuers where the crux of the alleged failures lay with management processes itself, rather than the underlying root cause of an incident.

We recommend issuers take the following steps:

Review all contracts with MSSPs to clarify roles and responsibilities.
Have a documented policy or procedure relating to escalation of alerts internally (including alerts escalated from an MSSP or from another internal system or personnel).
Review the incident response plan to ensure it is actionable, particularly with respect to coordination on the MSSP and internal cyber response team.
Review the cybersecurity budget and ensure resources are allocated appropriately.