The Securities and Exchange Commission entered into a resolution agreement with R.R. Donnelley & Sons (RRD) on June 18, 2024 with RRD agreeing to pay $2.125 million to resolve disclosure and control violations alleged by the SEC regarding a December 2021 ransomware incident. In the cease-and-desist order the SEC alleged that RRD failed to (1) design effective disclosure controls and procedures to timely escalate information about cybersecurity incidents to management and (2) devise and maintain internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets was permitted only with management’s authorization. As a result, the SEC asserted that RRD violated Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a). RRD began actively responding to the ransomware incident on December 23, 2021, and it filed a Form 8-K on December 27, 2021. Although it is not abundantly clear from the order, it appears that the SEC saw fault more in the company’s failure to detect and stop the attack (because it had been receiving security event alerts that could have enabled it to address the incident earlier) than the timeliness of its 8-K filing (this incident occurred before the effective date of the SEC cybersecurity rules). And that is why two SEC commissioners issued a statement criticizing the SEC’s approach as an overbroad interpretation of an obligation to have appropriate accounting controls as including an obligation to have effective cybersecurity measures.

Background

The facts as stated in the order regarding the underlying security incident are fairly typical. RRD used a third-party managed security services provider (MSSP) to monitor and escalate security alerts. For approximately four weeks (starting in late November 2021), RRD’s intrusion detection systems began issuing alerts, which were visible to both RRD and the MSSP. The MSSP escalated three of these alerts to RRD’s security team along with reports and a reference to a threat intelligence article connecting the malware detected to malware that had often been used in ransomware attacks. After reviewing the escalations, and in partial reliance on its MSSP, RRD did not take those devices offline or conduct its own investigation into the activity until nearly a month later. During the subsequent weeks, the MSSP reviewed but did not escalate other alerts related to this activity, including the compromise of a domain controller. Between November 29 and December 23, 2021, the threat actor maintained persistence in RRD’s network, installed malware, exfiltrated 70 gigabytes of data, and encrypted data. RRD began actively responding to the incident on December 23, but only after a third party with shared access to RRD’s network alerted RRD that anomalous activity appeared to be occurring in RRD’s network.

SEC’s Findings

The SEC found that RRD’s policies, procedures, and controls:

1. were inadequate to ensure relevant information was reported to RRD’s disclosure decision-makers in a timely manner;
2. failed to establish a prioritization scheme and failed to provide clear guidance to internal and external (the MSSP) personnel on responding to incidents; and
3. failed to adequately oversee the MSSP’s review and escalation of alerts.

The SEC also found that RRD failed to adequately review the alerts and take adequate investigative and remedial measures in a timely manner.

The SEC imposed a $2.125 million civil penalty against RRD but took into consideration several mitigating factors: 1) RRD’s prompt remedial measures; 2) RRD’s cooperation with the SEC; 3) RRD’s voluntarily revising its incident response policies and procedures, adopting new cybertechnology and controls, updating employee training, and increasing cybersecurity personnel; and 4) RRD’s prompt reporting of the incident to the SEC and in its 8-K disclosure regarding the incident (even though RRD did not claim it was a material event, a determination with which the SEC did not take issue).

SEC Overreach?

Two SEC Commissioners issued a statement criticizing the SEC’s method, specifically its use of Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army knife to compel companies to implement cybersecurity policies and procedures the SEC thinks prudent in the absence of explicit requirements to do so. The two Commissioners found it concerning that the SEC decided “to stretch the law to punish a company that was the victim of a cyberattack … [which] inappropriately amplifies a company’s harm from a cyberattack.”

These criticisms – of overreach by a federal agency to shoehorn requirements for cybersecurity policies and procedures into unrelated statutes and regulations – are similar to those levied against the FTC’s broad use of Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, to require companies to implement cybersecurity tools and procedures despite the fact that this was not contemplated by the statute.

What You Can Do Now

• Establish an Escalation Protocol: Whether your company handles all cybersecurity in-house, uses a third-party MSSP, or takes a hybrid approach, make sure all relevant parties understand which alerts to escalate and when, so that appropriate and timely actions can be taken to investigate and, if necessary, contain suspicious activity.

• Develop an Incident Severity Classification Protocol: The escalation protocol should also include a severity classification protocol that outlines which cybersecurity incidents get escalated to management, including to disclosure decision-makers within the company.

• Communicate and Test the Protocols: Make sure you communicate the protocols to relevant parties, including to any vendors monitoring the company’s network. Regularly test – and revise if necessary – your protocols (and incident response plan) so you aren’t dusting them off for the first time when responding to an actual incident.

[View source.]