The SEC issued a cease-and-desist order that settled its charges against RR Donnelley & Sons Co (RRD) for Exchange Act disclosure controls and procedures and internal accounting control provisions relating to its cybersecurity practices between November 2021 and January 2022. RRD is a global provider of marketing, packaging, print, and supply chain solutions based in Chicago.
The SEC said RRD failed to design effective disclosure controls and procedures as defined in its rules related to the disclosure of cybersecurity risks and incidents, and failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets. Those assets included its information technology systems and networks, which contained sensitive business and client data and was permitted only with management’s authorization.
Due to RRD’s business of storing and transmitting large amounts of data, including sensitive data, information technology and cybersecurity are obviously of critical importance, the SEC notes.
“As a result of these internal accounting controls deficiencies, RRD failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021 and December 23, 2021, which culminated in encryption of computers, exfiltration of data, and business service disruptions,” the agency states in its order.
The ransomware incident
Between November 29 and December 23, 2021, RRD experienced a ransomware network intrusion.
Starting November 29, 2021, RRD’s internal intrusion detection systems began issuing alerts, which were visible to both its and the MSSP’s security personnel, about certain malware in the RRD network. The MSSP received these alerts and escalated three of them to RRD’s internal security personnel. In the escalated alerts, the MSSP noted to RRD the threat had moved laterally or the threat actors successfully achieved entry at multiple points, that connections to a broad phishing campaign, and that open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code.
The MSSP provided RRD a link to a cybersecurity magazine article, which described the malware and stated that it was often used in ransomware operations.
The staff members allocated to the task of reviewing and responding to these escalated alerts had significant other responsibilities, leaving insufficient time to dedicate to the alerts and general threat-hunting in RRD’s environment.
The SEC said RRD reviewed the escalated alerts but, in partial reliance on its MSSP, did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, before December 23, 2021. And in November and December 2021, the MSSP also reviewed, but did not escalate to RRD, at least 20 other alerts related to the same activity. These included alerts regarding the same malware being installed or executed on multiple other computers across the network, and compromise of a domain controller server, which provided the threat actor with access to and control over a broader sweep of network resources and credentials.
Between November 29 and December 23, 2021, the threat actor was able to use deceptive hacking techniques to install encryption software on certain RRD computers (mostly virtual machines) and exfiltrated 70 gigabytes of data, including data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information. RRD’s investigation uncovered no evidence that the threat actor accessed RRD’s financial systems and corporate financial and accounting data.
RRD began actively responding to the attack on December 23, 2021 after a company with shared access to RRD’s network alerted RRD’s Chief Information Security Officer about potential anomalous internet activity emanating from RRD’s network. After this alert, RRD’s security personnel conducted a rapid and extensive response operation, including shutting down servers, and notifying clients and federal and state agencies.
Beginning on December 27, 2021, RRD issued public statements, including SEC filings, regarding the ransomware intrusion.
Security incident management issue
The SEC detailed what it called a “security incident management issue” at RRD and how it arose from mismanagement, insufficient procedures, and unprepared personnel.
RRD’s internal intrusion detection systems issued a significant number of alerts each month, which were highly complex due to RRD’s large footprint and heterogeneity of its network and the variety of custom applications used in the environment, the SEC said.
These alerts were available to RRD’s internal personnel for review, but were reviewed in the first instance by its third-party managed security services provider (MSSP).
After its initial review and analysis, the MSSP would escalate a significant number of alerts to RRD’s internal cybersecurity personnel. When incidents of unauthorized activity were identified, the response and remediation were executed by both RRD’s internal personnel and the MSSP. The SEC said RRD suffered from the following flaws, which compromised the immediate attention the cyber alerts should have generated, including:
- RRD did not reasonably manage the MSSP’s allocation of resources to the task. In its contract and communications with the MSSP, RRD failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts.
- RRD did not have sufficient procedures to audit or otherwise oversee the MSSP in order to confirm that the MSSP’s review and escalation of the alerts was consistent with RRD’s expectations and instructions.
- Despite the high volume and complexity of the alerts the MSSP escalated to RRD, the staff members allocated to the task of reviewing and responding to these escalated alerts had significant other responsibilities, leaving insufficient time to dedicate to the escalated alerts and general threat-hunting in RRD’s environment.
- RRD’s internal policies governing its personnel’s review of cybersecurity alerts and incident response also failed to sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting.
Applicable rules
The SEC said RRD violated SEC Rule 13a-15a, which requires an issuer to maintain sufficient procedures to collect, process and disclose the information that is required of them in their Exchange Act reports and to evaluate the effectiveness of its disclosure controls and procedures.
“While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.”
Hester Peirce and Mark Uyeda, SEC Commissioners
The SEC said RRD also violated Exchange Act Section 13(b)(2)(B), which requires issuers with a class of securities registered pursuant to Section 12 of the Exchange Act to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets is permitted only in accordance with management’s general or specific authorization.
Cooperation credit
The SEC said it considered remedial acts promptly undertaken by RRD, such as it reporting the 2021 ransomware intrusion to the staff prior to its first SEC filing disclosing the 2021 ransomware intrusion; voluntarily revising incident response policies, procedures and staffing (including adopting new cybersecurity technology and controls, updating employee training, and increasing cybersecurity headcount); and promptly following up on requests from staff without requiring subpoenas, including obtaining information from various employees and explaining technical cybersecurity issues.
Peirce and Uyeda issue objecting statement
SEC Commissioners Hester Peirce and Mark Uyeda submitted a joint statement, saying the SEC’s order faulting RRD’s internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under its internal accounting controls provision, Section 13(b)(2)(B).
“The broad interpretation of those rules to cover computer systems “gives the Commission a hook to regulate public companies’ cybersecurity practices,” they said.
“Any departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation. The Commission’s assurances in connection with the recent cyber-disclosure rulemaking ring untrue if the Commission plans to dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool. Also concerning is the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack,” they wrote.
(Author’s Note: The duo made a similar argument about an over-expansive use of Section 13(b)(2)(B) in a case last year involving the timing of stock buybacks.)