SEC Charges R.R. Donnelley for Ransomware Attack Response

On June 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) Announced a settlement with RR Donnelley & Sons Co. (“RRD”), a global provider of marketing and business communications services, for violating the internal controls and disclosure controls provisions of the federal securities laws in connection with Donnelley's response to a 2021 ransomware attack. The settlement requires RRD to pay a civil monetary penalty of $2.125 million and to cease and desist from future violations of Section 13(b)(2)(B) of the Securities Exchange Act. 1934 and Rule 13a-15(a) of the Exchange Act.

During the relevant period, RRD was a publicly traded company subject to the SEC's periodic reporting and disclosure requirements. According to the SEC order, RRD's cybersecurity intrusion detection systems issued a high volume of complex alerts each month. RRD's third-party managed security services provider (the "SSP") conducted an initial review of the alerts and escalated some of them to RRD, but the SEC's order alleged that RDD failed to reasonably manage the allocation of SSP resources and maintained sufficient audit and supervisory procedures regarding the SSP. These issues came to a head when RRD experienced a ransomware attack in late 2021. Beginning on November 29, 2021, the SEC alleged that RRD's internal intrusion detection systems began issuing alerts about certain malware on the RRD network, which were visible to both RRD and SSP security personnel. According to the order, the SSP raised three alerts to RRD internal security personnel, observing: (1) indications that similar activity was occurring on several computers; (2) connections to a widespread phishing campaign; and (3) open source intelligence that the malware was capable of facilitating remote execution of arbitrary code.

RRD reviewed the escalated alerts but, according to the SEC, “did not remove the infected instances from the network and conduct its own investigation of the activity, nor take steps to prevent further compromise before December 23, 2021,” according to other company. with shared access to RRD's network alerted RRD's Chief Information Security Officer ("CISO") of possible anomalous Internet activity emanating from RRD's network. The SEC noted that in November and December 2021, the SSP reviewed, but did not elevate to RRD, at least 20 other alerts related to the same activity, “including alerts about the installation or execution of the same malware on several other computers throughout the world". network and compromise of a domain controller server, which provided the threat actor access and control over a broader range of network resources and credentials.” Between November 29 and December 23, 2021, the SEC determined that the threat actor was able to install encryption software on multiple RRD computers. The threat actor ultimately extracted 70 gigabytes of data; this included data belonging to 29 of DRR's 22,000 clients, some of which contained personal identification and financial information.

Following the alert on December 23, 2021, RRD security personnel initiated a response operation, which included shutting down servers and notifying clients and federal and state agencies. As of December 27, 2021, RRD issued public statements, including EDGAR filings, regarding the ransomware intrusion.

The SEC order found that RRD failed to design effective controls and procedures for cybersecurity incidents, with key failures related to the timeliness of relevant communications and decisions surrounding potential incident disclosures. The SEC noted that the intrusion detection alerts were available to RRD's internal staff for review, but were first reviewed and analyzed by the SSP, after which the SSP would escalate certain alerts to RRD's internal cybersecurity staff. Despite what the SEC characterized as a high volume and complexity of alerts that the SSP was responsible for reviewing, the SEC alleged that RRD failed to reasonably manage the SSP's resource allocation. For example, in its contract and communications with SSP, the SEC noted that RRD did not reasonably establish a sufficient prioritization scheme and workflow for the review and escalation of alerts. The SEC also alleged that RRD did not have sufficient procedures to audit or otherwise supervise the SSP to confirm that the SSP's review and escalation of alerts were consistent with RRD's instructions. Despite the large volume and complexity of alerts that SSP escalated to RRD, the SEC noted that RRD staff responsible for reviewing and responding to escalated alerts had other important job responsibilities, resulting in “insufficient time to devote to escalated alerts and the search for threats in general.” in the DRR environment.” According to the SEC, DRR's “internal policies governing the review of cybersecurity alerts and response to incidents by its staff also failed to sufficiently identify lines of responsibility and authority, establish clear criteria for prioritizing alerts and incidents, and establish clear workflows for alert review and incident response. and presentation of reports.

As a result of this conduct, the SEC determined that RRD violated two key provisions of the federal securities laws:

• Section 13(b)(2)(B) of the Securities Exchange Act of 1934, which requires public companies to design and maintain a system of internal accounting controls sufficient to provide reasonable assurance, among other things, that access to company assets. only in accordance with general or specific management authorization; and
• Rule 13a-15(a) of the Exchange Act, which requires public companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in the reports it files with the SEC is recorded, processed, summarized, and reported within the time periods specified in the Commission's rules and forms.

Central to these charges is the SEC's determination that RRD's information technology systems and networks constituted a company asset. Two of the five SEC commissioners dissented of the action, and took particular issue with the majority's "expanded interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii)." By treating DRR's computer systems as an asset subject to the internal accounting controls provision, the dissenting commissioners argued that the SEC's order ignores the distinction between internal accounting controls and broader administrative controls.

The SEC noted that its decision to accept the settlement took into consideration RRD's cooperation with the investigation and corrective actions, including notifying the SEC of the ransomware attack before disclosing it to investors, reviewing incident response and the adoption of new cybersecurity controls and technology. , update employee training and increase the workforce of cybersecurity personnel.

The enforcement action is the latest of many in which the SEC has brought disclosure controls or internal controls charges against a public company for perceived deficiencies related to the disclosure of cybersecurity risks and incidents, and is significant for its focus on supervision of a third-party company. -party security service provider.