By Gregory Hale
Whether the Securities and Exchange Commission (SEC) is overstepping its bounds, or it is fully on target, the commission last week accepted a $2.125 million civil penalty settlement offer from R.R. Donnelley & Sons Company.

SEC reported on June 18 it found violations by R.R. Donnelley in the Exchange Act’s disclosure controls and procedures and internal accounting control provisions relating to its cybersecurity practices between November 2021 and January 2022 which included the company falling victim to a ransomware attack.

Throughout the time frame, R.R. Donnelley failed to design effective disclosure controls and procedures as defined in the Exchange Act rules related to the disclosure of cybersecurity risks and incidents, the SEC said.

In addition, R.R. Donnelley also failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to the company’s assets – its information technology systems and networks, which contained sensitive business and client data – ended up permitted only with management’s authorization.

Schneider Bold

Sensitive Data Means Cybersecurity Critical
Due to R.R. Donnelley’s business of storing and transmitting large amounts of data, some of which was sensitive, information technology and cybersecurity are critically important. As a result of these internal accounting controls deficiencies, R.R. Donnelley failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021, and December 23, 2021, which culminated in encryption of computers, exfiltration of data, and business service disruptions.

In short, the SEC laid out issues it found with R.R. Donnelley:

During the time frame investigated, R.R. Donnelley’s internal intrusion detection systems issued a significant number of alerts each month. These alerts and the environment from which they emanated were highly complex due to R.R. Donnelley’s large footprint and heterogeneity of its network and the variety of custom applications used in the environment. Additionally, these alerts were available to R.R. Donnelley’s internal personnel for review, but reviewed in the first instance by its third-party managed security services provider (MSSP). After initial review and analysis, the MSSP would escalate a significant number of alerts to RRD’s internal cybersecurity personnel. When they identified incidents of unauthorized activity, response and remediation ended up executed by R.R. Donnelley’s internal personnel and the MSSP.

Despite the high volume and complexity of the alerts the MSSP was responsible for reviewing, R.R. Donnelley did not reasonably manage the MSSP’s allocation of resources to the task. In its contract and communications with the MSSP, R.R. Donnelley failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts.

Furthermore, R.R. Donnelley did not have sufficient procedures to audit or otherwise oversee the MSSP in order to confirm the MSSP’s review and escalation of the alerts was consistent with R.R. Donnelley’s expectations and instructions.

High Volume of Alerts
Despite the high volume and complexity of the alerts the MSSP escalated to R.R. Donnelley, staff members allocated to the task of reviewing and responding to these escalated alerts had significant other responsibilities, leaving insufficient time to dedicate to the escalated alerts and general threat-hunting in R.R. Donnelley’s environment.

Additionally, R.R. Donnelley’s internal policies governing its personnel’s review of cybersecurity alerts and incident response also failed to sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting.

This all came to a head because between November 29 and December 23, 2021, R.R. Donnelley experienced a ransomware attack.

Starting November 29, 2021, R.R. Donnelley’s internal intrusion detection systems began issuing alerts, which were visible to its and the MSSP’s security personnel, about certain malware in the R.R. Donnelley network. The MSSP received these alerts and escalated three of them to R.R. Donnelley’s internal security personnel. In the escalated alerts, the MSSP noted to R.R. Donnelley: (1) indications that similar activity was taking place on multiple computers (meaning, the threat had moved laterally, or the threat actors successfully achieved entry at multiple points); (2) connections to a broad phishing campaign; and (3) open-source intelligence the malware was capable of facilitating remote execution of arbitrary code. The MSSP provided to R.R. Donnelley a link to a cybersecurity magazine article, which described the malware and stated ransomware operations often used it.

R.R. Donnelley reviewed the escalated alerts but, in partial reliance on its MSSP, did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise, before December 23, 2021.

Ransomware Attack
In November and December 2021, the MSSP also reviewed, but did not escalate to R.R. Donnelley, at least 20 other alerts related to the same activity, including alerts regarding the same malware installed or executed on multiple other computers across the network and compromise of a domain controller server, which provided the threat actor with access to and control over a broader sweep of network resources and credentials. The malware executed on the domain controller ended up used by the ransomware group credited with the attack on R.R. Donnelley.

Between November 29 and December 23, 2021, the threat actor was able to utilize deceptive hacking techniques to install encryption software on certain R.R. Donnelley computers (mostly virtual machines) and exfiltrated 70 Gigabytes of data, including data belonging to 29 of R.R. Donnelley’s 22,000 clients, some of which contained personal identification and financial information. R.R. Donnelley’s investigation uncovered no evidence the threat actor accessed its financial systems and corporate financial and accounting data.

The company began actively responding to the attack on December 23, 2021, after a firm with shared access to R.R. Donnelley’s network alerted R.R. Donnelley’s Chief Information Security Officer about potential anomalous Internet activity coming from R.R. Donnelley’s network.

After this alert, R.R. Donnelley’s security personnel conducted a rapid and extensive response operation, including shutting down servers, and notifying clients and federal and state agencies. Beginning on December 27, 2021, R.R. Donnelley issued public statements, including in EDGAR filings, regarding the 2021 Ransomware Intrusion.

Reasons for SEC Case
In short, the SEC went after R.R. Donnelley for the company’s failure to maintain sufficient internal accounting controls and disclosure controls and procedures.

As a result, the SEC said R.R. Donnelley violated Exchange Act Section 13(b)(2)(B), which requires companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances access to company assets ends up permitted only in accordance with management’s general or specific authorization.

In addition, the R.R. Donnelley also violated Exchange Act Rule 13a-15(a), which requires companies to maintain disclosure controls and procedures designed to ensure required disclosure information ends up recorded, processed, summarized, and reported within the time periods specified in the SEC’s rules and forms.


Pin It on Pinterest

Share This