(Article from Registered Funds Regulatory Update, July 2024)
For more information, please visit the Registered Funds Resource Center.
The SEC settled with a publicly traded company that is a global provider of business communication and marketing services for violations of the federal securities laws related to its inadequate response to a 2021 ransomware attack. The SEC’s charges, rooted in failures of internal controls and disclosure procedures, underscore the SEC’s intensified scrutiny of cybersecurity practices in public companies.
The company experienced a significant cybersecurity breach between November 2021 and January 2022. During this period, the company’s internal systems issued multiple alerts about malware presence, but both the company’s internal teams and its third-party managed security services provider failed to adequately address the threat. The SEC’s investigation revealed that while the service provider initially reviewed and escalated some alerts, there was a critical lag in comprehensive response and remediation. Consequently, a threat actor installed encryption software and exfiltrated 70 gigabytes of sensitive data, impacting 29 of the company’s 22,000 clients.
The SEC found that the company’s cybersecurity incident controls and procedures were significantly flawed. According to the SEC, the company’s reliance on the service provider without sufficient oversight, inadequate internal controls for reviewing and responding to cybersecurity alerts, and lack of effective communication channels contributed to the severity of the attack. The SEC’s order emphasized that the company’s failure to properly manage and audit the service provider’s actions and resources led to the prolonged exposure and eventual data breach.
The SEC determined that the company violated two provisions of the Exchange Act. The company violated Section 13(b)(2)(B) of the Exchange Act, which mandates public companies maintain internal accounting controls that provide reasonable assurances regarding access to company assets. The SEC deemed the company’s information technology systems and networks as assets, which necessitated robust internal controls to protect against unauthorized access. The SEC also found that the company violated Exchange Act Rule 13a-15(a), which requires public companies to maintain disclosure controls and procedures to ensure timely and accurate reporting of significant information. Thus, the company failed to design and implement effective controls for the timely communication of cybersecurity incidents to management, thereby impacting its disclosure decisions.
Without admitting or denying the SEC’s findings, the company agreed to a cease-and-desist order and to pay a $2.125 million civil monetary penalty. In reaching the settlement, the SEC acknowledged the company’s cooperation and remedial efforts. This included reporting the incident to the SEC before any public disclosure, revising cybersecurity policies and procedures, adopting new technologies, enhancing employee training, and increasing cybersecurity staff.
In the Matter of R.R. Donnelley & Sons Co., SEC Admin. Proc. File No. 3-21969 (June 18, 2024), available at: https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf.