SEC accuses RR Donnelley of control failure in connection with cybersecurity incident | Cooley LLP

According to the order, RRD regularly stored and transmitted its customers’ confidential data as part of its services. RRD had established internal attack detection systems that issued alerts when attacks were detected. Although the alerts were available for review by RRD’s internal personnel, they were first reviewed by RRD’s third-party managed security services provider, who then forwarded the alerts as needed. Response and remediation of identified incidents was conducted by both RRD’s internal personnel and the MSSP.

Between November 2021 and January 2022, the order states, several alerts were received, three of which were forwarded to RRD’s internal security staff. They indicated the use of malware on multiple computers and provided a “link to an article in a cybersecurity magazine that described the malware and stated that it is commonly used in ransomware operations.” The order states that RRD reviewed the forwarded alerts but “in partial reliance on its MSSP, did not remove the infected instances from the network until late on December 23, 2021, and did not conduct its own investigation into the activity or otherwise take steps to prevent further compromise.” The order also states that the MSSP reviewed at least 20 other alerts related to the same activity in November and December 2021, but did not forward them to RRD. These included “alerts that the same malware was installed or running on multiple other computers across the network and the compromise of a domain controller server, giving the threat actor access and control over a wider range of network resources and credentials. It was widely known at the time that the malware running on the domain controller was used by the ransomware group attributed to the attack on RRD.” Then, between November 29 and December 23, 2021, the threat actor installed encryption software on certain RRD computers and “exfiltrated 70 gigabytes of data, including data from 29 of RRD’s 22,000 customers, some of which contained personal identification and financial information.” After a company with shared access to RRD’s network alerted RRD’s CISO on December 23, RRD security personnel “conducted a rapid and comprehensive response operation.” RRD found no evidence that RRD’s financial systems or the company’s financial and accounting data were accessed in the attack. On December 27, RRD issued a public statement.

According to the SEC, RRD’s cybersecurity review and response policies and procedures were inadequate and did not provide adequate guidance for incident response or oversight of the MSSP’s review and escalation of alerts. Regarding the 2021 ransomware incident, RRD’s “failure to develop and maintain internal controls that provided sufficient assurances that access to RRD’s assets was permitted only with management approval was exploited by hackers. While RRD’s internal systems began issuing alerts on the first day of the attack, approximately three weeks before data was encrypted and exfiltrated, RRD’s external and internal security personnel did not adequately review those alerts or take appropriate investigative and remedial actions until an entity with shared access to RRD’s network notified RRD of anomalous internet traffic on December 23, 2021.”

The SEC alleged that RRD violated the disclosure controls and procedures provisions of Exchange Act Rule 13a-15(a) because it “failed to develop effective disclosure-related controls and procedures for cybersecurity incidents to ensure that relevant information is communicated to management in a timely manner for timely decisions on potentially required disclosures.” Specifically, the controls and procedures “were not designed to ensure that all relevant alert and incident information is reported to RRD’s disclosure decision makers in a timely manner, and no guidelines were provided regarding the personnel responsible for reporting such information to management.”

In addition, the SEC accused RRD of violating the internal accounting controls provisions of Section 13(b)(2)(B) of the Exchange Act, which requires companies to “develop and maintain a system of internal accounting controls sufficient to, among other things, reasonably ensure that access to company assets is permitted only with general or specific management authorization.” Specifically, RRD was accused of violating the internal accounting controls requirements because “RRD’s policies and procedures for reviewing cybersecurity alerts and responding to incidents did not establish an appropriate prioritization scheme and did not provide internal and external personnel with clear guidance on incident response procedures. In addition, RRD did not establish sufficient internal controls to oversee the MSSP’s review and escalation of alerts.”

In reaching the settlement, the SEC took into account RRD’s cooperation and remediation efforts, including reporting the incident to the SEC staff prior to filing an EDGAR report, voluntarily revising its policies, and providing information to staff upon request. RRD was ordered to pay a civil monetary penalty of $2.125 million.

Commissioners Hester Peirce and Mark Uyeda issued a statement criticizing the SEC’s approach to the order — essentially its use of the internal accounting controls provision in Section 13(b)(2)(B) “as a Swiss Army law to compel issuers to adopt policies and procedures that the Commission deems prudent,” without clearly establishing a connection between those preferred policies and procedures and accounting controls. They claimed that the SEC was treating Section 13(b)(2)(B) as “a novel addition to its general-purpose tool — ‘a system of internal accounting controls related to cybersecurity.'”

The order accused RRD of violating the Section 13(b)(2)(B)(iii) requirement to “develop and maintain a system of internal accounting controls sufficient to provide reasonable assurance that (iii) access to assets is permitted only pursuant to general or specific management authorization.” But Peirce and Uyeda argued that the controls at issue here are better categorized as “administrative controls” rather than “internal accounting controls.” How does that work? According to the two commissioners, the “assets” referred to in the order were RRD’s “information technology systems and networks.” But those assets, they claimed, were “not … assets of the type covered by the internal accounting controls provisions of Section 13(b)(2)(B).” The focus of the current auditing standards statement “makes clear that the objective of permitting ‘access to assets’ … only in accordance with management’s authorization” does not concern all corporate assets, but rather assets of a particular type – those that are the subject of corporate transactions. The assets at issue in the order – RRD’s computer systems – do not have this essential characteristic.” Although RRD’s computer systems were corporate property, they “were not the subject of corporate transactions. Computer systems process, at most, transactions involving corporate assets, but internal accounting controls concern the use and disposition of the corporate assets themselves,” ie, “Transactions that ended in the disbursement of cash.” Here, “the controls related to the processing of transactions involving company assets are more likely to be classified as administrative controls that affect management decisions prior to the authorization of transactions.” To support their distinction between these two types of controls, they cited several examples from the SEC’s 2018 Investigative Report on Cyber ​​Fraud and Accounting Controls.

According to the two commissioners, the SEC’s order accusing RRD of failing in “internal accounting controls” breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).” But “eliminating the distinction between administrative controls and accounting controls is useful to the Commission. As this case shows, a broad interpretation of Section 13(b)(2)(B), which also includes computer systems, gives the Commission a starting point for regulating the cybersecurity practices of publicly traded companies,” a starting point that the two commissioners sharply criticize. They claimed that this allows the SEC to take the position that “any deviation from what the Commission considers to be reasonable cybersecurity policies could be viewed as a violation of internal accounting controls.” In addition, the two commissioners expressed concern that the SEC is “extending the law to punish a company that has been the victim of a cyberattack.” While a coercive action may be justified in certain circumstances, distorting a statutory provision as the basis for such an action unreasonably amplifies the harm caused to a company by a cyberattack.”

(View source code.)