On June 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) announced a settlement with R.R. Donnelley & Sons Co. (“RRD”), a global provider of business communication and marketing services, for violating the internal controls and disclosure controls provisions of federal securities laws in relation to Donnelley’s response to a 2021 ransomware attack. The settlement requires RRD to pay a civil monetary penalty of $2.125 million and cease and desist from further violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15(a).
During the relevant period of time, RRD was a publicly traded company subject to the SEC’s disclosure and periodic reporting requirements. According to the SEC’s order, RRD’s cybersecurity intrusion detection systems issued a high volume of complex alerts each month. RRD’s third-party managed security services provider (the “SSP”) did an initial review of the alerts and escalated certain of them to RRD, but the SEC’s order alleged that RDD did not reasonably manage the SSP’s allocation of resources or maintain sufficient audit and oversight procedures with respect to the SSP. These issues came to a head when RRD experienced a ransomware attack in late 2021. Starting November 29, 2021, the SEC alleged that RRD’s internal intrusion detection systems began issuing alerts about certain malware in the RRD network, which were visible to both RRD’s and the SSP’s security personnel. According to the order, the SSP escalated three of alerts to RRD’s internal security personnel, noting: (1) the indications that similar activity was taking place on multiple computers; (2) connections to a broad phishing campaign; and (3) open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code.
RRD reviewed the escalated alerts but, according to the SEC, “did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise before December 23, 2021” after another company with shared access to RRD’s network alerted RRD’s Chief Information Security Officer (“CISO”) about potential anomalous internet activity emanating from RRD’s network. The SEC observed that in November and December 2021, the SSP reviewed, but did not escalate to RRD, at least 20 other alerts were related to the same activity, “including alerts regarding the same malware being installed or executed on multiple other computers across the network and compromise of a domain controller server, which provided the threat actor with access to and control over a broader sweep of network resources and credentials.” Between November 29 and December 23, 2021, the SEC determined that the threat actor was able to install encryption software on various RRD computers. The threat actor ultimately exfiltrated 70 gigabytes of data; this included data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.
After the December 23, 2021 alert, RRD’s security personnel initiated a response operation, including shutting down servers, and notifying clients and federal and state agencies. Beginning on December 27, 2021, RRD issued public statements, including in EDGAR filings, regarding the ransomware intrusion.
The SEC’s order found that RRD failed to design effective cybersecurity incident controls and procedures, with key failures related to the timeliness of relevant communications and decisions around potential incident disclosures. The SEC noted that intrusion detection alerts were available to RRD’s internal personnel for review, but were first reviewed and analyzed by the SSP, after which the SSP would escalate certain alerts to RRD’s internal cybersecurity personnel. Despite what the SEC characterized as a high volume and complexity of alerts that the SSP was responsible for reviewing, the SEC alleged that RRD did not reasonably manage the SSP’s allocation of resources. For example, in its contract and communications with the SSP, the SEC noted that RRD failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts. The SEC also alleged RRD did not have sufficient procedures to audit or otherwise oversee the SSP in order to confirm the SSP’s review and escalation of alerts were consistent with RRD’s instructions. Despite the high volume and complexity of alerts the SSP escalated to RRD, the SEC noted that RRD personnel responsible for reviewing and responding to escalated alerts had significant other job responsibilities, resulting in “insufficient time to dedicate to the escalated alerts and general threat-hunting in RRD’s environment.” According to the SEC, RRD’s “internal policies governing its personnel’s review of cybersecurity alerts and incident response also failed to sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting.”
As a result of this conduct, the SEC determined that RRD violated two key provisions of the federal securities laws:
- Section 13(b)(2)(B) of the Securities Exchange Act of 1934, which requires public companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets is permitted only in accordance with management’s general or specific authorization; and
- Exchange Act Rule 13a-15(a), which requires public companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in reports it files with the SEC is recorded, processed, summarized and reported within the time periods specified in the Commission’s rules and forms.
Central to these charges is the SEC’s determination that RRD’s information technology systems and networks constituted an asset of the company. Two of the five SEC commissioners dissented from the action, and took particular issue with the majority’s “expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).” By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the dissenting commissioners argued that the SEC’s order ignores the distinction between internal accounting controls and broader administrative controls.
The SEC noted that its decision to accept the settlement took into consideration RRD’s cooperation with the investigation and remedial actions, including reporting the ransomware attack to the SEC prior to disclosing it to investors, revising incident response policies and procedures, adopting new cybersecurity technology and controls, updating employee training, and increasing cybersecurity personnel headcount.
The enforcement action is the latest of many in which the SEC has pursued disclosure controls or internal controls charges against a public company for perceived shortcomings related to the disclosure of cybersecurity risks and incidents, and is significant for its focus on a company’s oversight of a third-party security service provider.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code