SEC Charges RR Donnelley for Ransomware Attack Response

pOn June 18 2024 the US Securities and Exchange Commission SEC announced a settlement with RR Donnelley Sons Co RRD a global provider of business communication and marketing services for violating the internal controls and disclosure controls provisions of federal securities laws in relation to Donnelleys response to a 2021 ransomware attack The settlement requires RRD to pay a civil monetary penalty of 2125 million and cease and desist from further violations of Section 13b2B of the Securities Exchange Act of 1934 and Exchange Act Rule 13a15appDuring the relevant period of time RRD was a publicly traded company subject to the SECs disclosure and periodic reporting requirements According to the SECs order RRDs cybersecurity intrusion detection systems issued a high volume of complex alerts each month RRDs thirdparty managed security services provider the SSP did an initial review of the alerts and escalated certain of them to RRD but the SECs order alleged that RDD did not reasonably manage the SSPs allocation of resources or maintain sufficient audit and oversight procedures with respect to the SSP These issues came to a head when RRD experienced a ransomware attack in late 2021 Starting November 29 2021 the SEC alleged that RRDs internal intrusion detection systems began issuing alerts about certain malware in the RRD network which were visible to both RRDs and the SSPs security personnel According to the order the SSP escalated three of alerts to RRDs internal security personnel noting 1 the indications that similar activity was taking place on multiple computers 2 connections to a broad phishing campaign and 3 opensource intelligence that the malware was capable of facilitating remote execution of arbitrary codeppRRD reviewed the escalated alerts but according to the SEC did not take the infected instances off the network and failed to conduct its own investigation of the activity or otherwise take steps to prevent further compromise before December 23 2021 after another company with shared access to RRDs network alerted RRDs Chief Information Security Officer CISO about potential anomalous internet activity emanating from RRDs network The SEC observed that in November and December 2021 the SSP reviewed but did not escalate to RRD at least 20 other alerts were related to the same activity including alerts regarding the same malware being installed or executed on multiple other computers across the network and compromise of a domain controller server which provided the threat actor with access to and control over a broader sweep of network resources and credentials Between November 29 and December 23 2021 the SEC determined that the threat actor was able to install encryption software on various RRD computers The threat actor ultimately exfiltrated 70 gigabytes of data this included data belonging to 29 of RRDs 22000 clients some of which contained personal identification and financial informationppAfter the December 23 2021 alert RRDs security personnel initiated a response operation including shutting down servers and notifying clients and federal and state agencies Beginning on December 27 2021 RRD issued public statements including in EDGAR filings regarding the ransomware intrusionppThe SECs order found that RRD failed to design effective cybersecurity incident controls and procedures with key failures related to the timeliness of relevant communications and decisions around potential incident disclosures The SEC noted that intrusion detection alerts were available to RRDs internal personnel for review but were first reviewed and analyzed by the SSP after which the SSP would escalate certain alerts to RRDs internal cybersecurity personnel Despite what the SEC characterized as a high volume and complexity of alerts that the SSP was responsible for reviewing the SEC alleged that RRD did not reasonably manage the SSPs allocation of resources For example in its contract and communications with the SSP the SEC noted that RRD failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts The SEC also alleged RRD did not have sufficient procedures to audit or otherwise oversee the SSP in order to confirm the SSPs review and escalation of alerts were consistent with RRDs instructions Despite the high volume and complexity of alerts the SSP escalated to RRD the SEC noted that RRD personnel responsible for reviewing and responding to escalated alerts had significant other job responsibilities resulting in insufficient time to dedicate to the escalated alerts and general threathunting in RRDs environment According to the SEC RRDs internal policies governing its personnels review of cybersecurity alerts and incident response also failed to sufficiently identify lines of responsibility and authority set out clear criteria for alert and incident prioritization and establish clear workflows for alert review and incident response and reportingppAs a result of this conduct the SEC determined that RRD violated two key provisions of the federal securities lawsppCentral to these charges is the SECs determination that RRDs information technology systems and networks constituted an asset of the company Two of the five SEC commissioners dissented from the action and took particular issue with the majoritys expansive interpretation of what constitutes an asset under Section 13b2Biii By treating RRDs computer systems as an asset subject to the internal accounting controls provision the dissenting commissioners argued that the SECs order ignores the distinction between internal accounting controls and broader administrative controlsppThe SEC noted that its decision to accept the settlement took into consideration RRDs cooperation with the investigation and remedial actions including reporting the ransomware attack to the SEC prior to disclosing it to investors revising incident response policies and procedures adopting new cybersecurity technology and controls updating employee training and increasing cybersecurity personnel headcountppThe enforcement action is the latest of many in which the SEC has pursued disclosure controls or internal controls charges against a public company for perceived shortcomings related to the disclosure of cybersecurity risks and incidents and is significant for its focus on a companys oversight of a thirdparty security service providerppCookie Settingsp