Hunton Andrews Kurth writes:
On June 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) announced a settlement with R.R. Donnelley & Sons Co. (“RRD”), a global provider of business communication and marketing services, for violating the internal controls and disclosure controls provisions of federal securities laws in relation to Donnelley’s response to a 2021 ransomware attack. The settlement requires RRD to pay a civil monetary penalty of $2.125 million and cease and desist from further violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15(a).
During the relevant period of time, RRD was a publicly traded company subject to the SEC’s disclosure and periodic reporting requirements. According to the SEC’s order, RRD’s cybersecurity intrusion detection systems issued a high volume of complex alerts each month. RRD’s third-party managed security services provider (the “SSP”) did an initial review of the alerts and escalated certain of them to RRD, but the SEC’s order alleged that RDD did not reasonably manage the SSP’s allocation of resources or maintain sufficient audit and oversight procedures with respect to the SSP. These issues came to a head when RRD experienced a ransomware attack in late 2021. Starting November 29, 2021, the SEC alleged that RRD’s internal intrusion detection systems began issuing alerts about certain malware in the RRD network, which were visible to both RRD’s and the SSP’s security personnel. According to the order, the SSP escalated three of alerts to RRD’s internal security personnel, noting: (1) the indications that similar activity was taking place on multiple computers; (2) connections to a broad phishing campaign; and (3) open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code
Read more at Privacy & Information Security Law Blog.