The SEC announced on June 18, 2024, that R.R. Donnelley & Sons Co. (RRD), a global provider of marketing and business communication services, agreed to pay $2,125,000 USD to settle charges of disclosure and internal control failure related to a ransomware attack in November 2021. Although no longer listed, RRD was a publicly traded company at the time of the incident.  

Here is a summary of the SEC’s findings leading to the $2.1 million USD fine: 

cyber governance be confidently sec audit ready today

Ransomware Incident (November 29, 2021 – December 23, 2021)

RRD experienced a ransomware attack that resulted in the encryption of computers, exfiltration of 70 gigabytes of data (including personal identification and financial information of 29 clients), and business service disruptions. 

Despite multiple alerts from its intrusion detection systems, RRD and its Managed Security Service Provider (MSSP) failed to take timely and adequate steps to investigate and mitigate the threat. Although over 20 alerts were generated, only 3 were escalated to RRD’s internal security team. 

The ransomware attack was only fully addressed after another company alerted RRD to anomalous internet activity on December 23, 2021, almost one month after the first alert. 

Failure to Prioritize and Manage Security Alerts

RRD did not effectively manage the MSSP’s review and escalation of a high volume of security alerts, leading to delayed response to critical threats. 

There were insufficient procedures to oversee the MSSP’s operations, and RRD’s internal personnel were overburdened with other responsibilities, leaving inadequate time to handle escalated alerts. 

Inadequate Disclosure Controls and Procedures (November 2021 – January 2022)

RRD failed to design effective disclosure controls and procedures regarding cybersecurity risks and incidents, meaning RRD’s incident response procedures were not effective to respond to the incident and meet the necessary breach notification requirements. This failure violated the Exchange Act’s requirements for maintaining sufficient disclosure controls. 

Deficient Internal Accounting Controls

 RRD did not maintain an adequate system of cybersecurity-related internal accounting controls to ensure that access to its information technology systems and networks, which contained sensitive business and client data, was permitted only with management’s authorization. 

See also  Types of cloud security

Internal Policy Deficiencies

RRD’s internal policies lacked clear lines of responsibility and authority, criteria for prioritizing alerts, and established workflows for incident response and reporting. 

Regulatory Violations

 RRD violated Section 13(b)(2)(B) of the Exchange Act by failing to maintain adequate internal accounting controls. 

 RRD also violated Rule 13a-15(a) of the Exchange Act, which mandates the maintenance of disclosure controls and procedures for timely and accurate reporting of required information. 

cyber governance expert guidance seamless compliance

10 Lessons Learned

To avoid similar cybersecurity-related violations and massive fines, SEC registrants should learn from this action and verify the following cybersecurity controls are implemented: 

  1. Regularly Review and Update Security Policies
  • Maintain and regularly update cybersecurity policies to reflect current best practices and regulatory requirements.  
  • Ensure that policies clearly define lines of responsibility and authority for cybersecurity tasks and incident response. 

2. Implement and Audit Strong Internal Access Controls

  • Design and maintain internal controls that ensure only authorized access to sensitive information and critical systems.  
  • Regularly audit and test these controls to identify and address any weaknesses. 

3. Continuous Monitoring and Threat Hunting

  • Implement continuous monitoring tools to detect and respond to threats in real-time. 
  • Conduct regular threat-hunting exercises to proactively identify and mitigate potential security risks. 

4. Effective Incident Management and Response

  • Develop a detailed incident response plan that outlines roles, responsibilities, and procedures for detecting, escalating, and responding to cybersecurity incidents. 
  • Ensure that the plan includes clear criteria for prioritizing alerts and incidents based on their severity and potential impact. 
  • Test incident response plans (IRPs) regularly through tabletop exercises and update them as needed to improve response processes and communication/reporting procedures. 

5. Communicate and Report Incidents Promptly

  • Establish clear channels for reporting cybersecurity incidents to senior management, regulatory bodies, and affected stakeholders promptly. 
  • Include cybersecurity risks and incidents as a regular agenda item in board and executive meetings to ensure they receive appropriate attention. 

6. Establish Robust Disclosure Controls and Procedures

  • Develop and maintain comprehensive disclosure controls that ensure timely and accurate reporting of cybersecurity risks and incidents to management and regulatory bodies.  
  • Regularly review and update these controls to adapt to evolving cybersecurity threats. 
See also  What is the best server for a private equity firm?

7. Allocate Adequate Resources to Cybersecurity

  • Ensure that the cybersecurity team has sufficient personnel and resources to handle the volume and complexity of security alerts and incidents. 
  • Invest in continuous training and development for cybersecurity staff to keep up with the latest threats and best practices. 

8. Engage and Manage Third-Party Security Providers

  • Clearly define the roles, responsibilities, and expectations of third-party managed security service providers (MSSPs) in contracts and communications. 
  • Regularly audit and oversee the performance of MSSPs to ensure they are effectively managing and escalating security alerts according to the company’s priorities and policies. 

9. Enhance Employee Awareness and Training

  • Conduct regular training sessions for all employees on cybersecurity best practices, including how to recognize and respond to phishing and other common attack vectors. 
  • Promote a culture of security awareness where employees understand their role in protecting the organization’s assets. 

10 Regularly Assess and Improve Security Posture

  • Perform regular security assessments, including vulnerability assessments and penetration testing, to identify and remediate vulnerabilities. 
  • Stay informed about emerging threats and update security measures accordingly. 

MSP Feature Checklist

Agio can help.

Agio has been a leader in cybersecurity governance and operations for SEC registrants for over 10 years. Agio’s Intelligent IT and Cybersecurity Services including our SEC Cybersecurity Governance Program and Cybersecurity Operations services are designed to meet the SEC’s cybersecurity risk management requirements.  

Contact us today.