On June 18, 2024, the SEC announced a $2.125 million settlement with R.R. Donnelley & Sons Co. (“RRD”) related to the company’s 2021 ransomware attack (the “Incident”). The settlement, and the SEC’s accompanying cease-and-desist order (the “Order”), portend the agency’s continued and increasing oversight over registrants’ cybersecurity policies and practices.
Background
RRD is a global provider of business communications and marketing solutions. The Order claims that, due to the nature of its services, RRD regularly stored and transmitted confidential and potentially sensitive data of its clients, which include healthcare companies, financial institutions, publicly-traded companies, and other SEC registrants.
RRD was the subject of a well-publicized ransomware attack beginning on November 29, 2021, which the company disclosed in its SEC filings in late December 2021. According to the Order, RRD’s internal intrusion detection system began issuing alerts about potential malware on the company’s network on November 29, 2021, which (while visible to RRD’s internal security personnel) were reviewed in the first instance by the company’s third-party managed security services provider (“MSSP”). The MSSP escalated some – but not all – of these alerts to RRD security personnel and flagged indications of similar activity occurring on several computers, possibly indicating that a threat actor had begun moving laterally within RRD’s systems. The MSSP also raised to RRD personnel connections between the alerts and a broader phishing campaign, as well as open-source intelligence that the malware could facilitate remote execution of “arbitrary code” and that it had been used in other ransomware attacks.
RRD personnel ultimately reviewed the alerts but did not independently investigate the activity or take steps to prevent further compromise until a third-party with shared access to RRD’s network alerted the company’s CISO “about potential anomalous internet activity emanating from RRD’s network.”
The company then began shutting down affected servers and responding to the attack. In the twenty-four days between when the MSSP first escalated the alerts to RRD and when the company took action, the threat actor exfiltrated 70 gigabytes of data, including data belonging to 29 out of the company’s 22,000 clients.
Alleged Internal Accounting and Disclosure Controls Violations
Interestingly, the Order does not challenge the substance or timing of the company’s SEC disclosures related to the Incident.
Instead, the SEC claims that the company failed to maintain “sufficient internal accounting controls” to provide reasonable assurances that access to RRD’s “assets” was permitted only with management’s authorization, as required under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (the “Exchange Act”). The Order defines RRD’s information technology systems and networks as the company’s “assets” under the Exchange Act, and notes that information technology and cybersecurity are critically important to RRD because its business involves storing and transmitting large amounts of customer data.
More specifically, the SEC critiques the company’s management of its MSSP, stating that the company (1) “failed to reasonably set out a sufficient prioritization scheme and workflow for [the MSSP’s] review and escalation of the alerts” and (2) “did not have sufficient procedures to audit or otherwise oversee the MSSP in order to confirm that the MSSP’s review and escalation of the alerts was consistent with RRD’s expectations and instructions.” The Order further critiques the company’s internal program tasked with reviewing escalated alerts, noting that the program was understaffed and that the company’s policies failed to “sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting.”
The Order additionally references disclosure controls claims against RRD under Exchange Act Rule 13a-15(a), on the grounds that that the company’s “cybersecurity procedures and controls were not designed to ensure all relevant information relating to alerts and incidents was reported to RRD’s disclosure decision-makers in a timely manner, and did not provide guidance regarding the personnel responsible for reporting such information to management.” The SEC concludes that this hindered the company’s ability to assess the Incident “from a disclosure perspective.”
In agreeing to the settlement, the company agreed to cease and desist from “committing or causing any violations and any future violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a)” and agreed to pay a $2.125 million fine.
Notably, two Commissioners publicly dissented from the Order, stating that by treating RRD’s computer systems as an asset subject to regulation by the SEC under the guise of “internal accounting controls,” the Order “ignores the distinction between internal accounting controls and broader administrative controls.” The dissent further condemns the Order, noting that “a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the Commission a hook to regulate public companies’ cybersecurity practices. Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation… While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.”
Takeaways
- The order signals the SEC’s intent to expand the meaning of “accounting controls” to include what have been traditionally thought of as information security controls, such as the escalation process for handling incoming cyberthreat alerts and the management of internal and external cybersecurity personnel.
- While most (if not all) cyber-related enforcement actions have included disclosure controls related allegations, this appears to be the first time the SEC is explicitly policing a company’s cyber-related policies, practices, and personnel. This may be evidence that the SEC is continuing to stretch its oversight authority over SEC registrants and public companies.
- The order asserts that RRD held “sensitive” data, but does not focus on the type of data RRD held, or what information was actually accessed or exfiltrated during the Incident. The breadth of the SEC’s definition of “sensitive data” remains unclear.
- The Order provides no guidance about how broadly the SEC may apply the argument a company’s information technology systems and networks are company “assets.”
- This is the first SEC order in a cyber-related case to provide specific details about the company’s efforts to cooperate, including that the Company reported the Incident to SEC staff before its first Form 8-K disclosing the Incident, voluntarily revising its incident response policies, providing detailed explanations and summaries to the staff, and complying with several staff requests without requiring a subpoena. The SEC claims to have taken the company’s cooperation into account in reaching the settlement and fine amount.
- The penalty of just over $2 million is generally consistent with other recent cyber-related SEC settlements.