On June 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) announced a settlement with R.R. Donnelley & Sons Co. (“RRD”), a global provider of business communication and marketing services, for violating the internal controls and disclosure controls provisions of federal securities laws in relation to Donnelley’s response to a 2021 ransomware attack. The settlement requires RRD to pay a civil monetary penalty of $2.125 million and cease and desist from further violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15(a).

During the relevant period of time, RRD was a publicly traded company subject to the SEC’s disclosure and periodic reporting requirements. According to the SEC’s order, RRD’s cybersecurity intrusion detection systems issued a high volume of complex alerts each month. RRD’s third-party managed security services provider (the “SSP”) did an initial review of the alerts and escalated certain of them to RRD, but the SEC’s order alleged that RDD did not reasonably manage the SSP’s allocation of resources or maintain sufficient audit and oversight procedures with respect to the SSP. These issues came to a head when RRD experienced a ransomware attack in late 2021. Starting November 29, 2021, the SEC alleged that RRD’s internal intrusion detection systems began issuing alerts about certain malware in the RRD network, which were visible to both RRD’s and the SSP’s security personnel. According to the order, the SSP escalated three of alerts to RRD’s internal security personnel, noting: (1) the indications that similar activity was taking place on multiple computers; (2) connections to a broad phishing campaign; and (3) open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code.

RRD reviewed the escalated alerts but, according to the SEC, “did not take the infected instances off the network and failed to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise before December 23, 2021” after another company with shared access to RRD’s network alerted RRD’s Chief Information Security Officer (“CISO”) about potential anomalous internet activity emanating from RRD’s network. The SEC observed that in November and December 2021, the SSP reviewed, but did not escalate to RRD, at least 20 other alerts were related to the same activity, “including alerts regarding the same malware being installed or executed on multiple other computers across the network and compromise of a domain controller server, which provided the threat actor with access to and control over a broader sweep of network resources and credentials.” Between November 29 and December 23, 2021, the SEC determined that the threat actor was able to install encryption software on various RRD computers. The threat actor ultimately exfiltrated 70 gigabytes of data; this included data belonging to 29 of RRD’s 22,000 clients, some of which contained personal identification and financial information.

After the December 23, 2021 alert, RRD’s security personnel initiated a response operation, including shutting down servers, and notifying clients and federal and state agencies. Beginning on December 27, 2021, RRD issued public statements, including in EDGAR filings, regarding the ransomware intrusion.

The SEC’s order found that RRD failed to design effective cybersecurity incident controls and procedures, with key failures related to the timeliness of relevant communications and decisions around potential incident disclosures. The SEC noted that intrusion detection alerts were available to RRD’s internal personnel for review, but were first reviewed and analyzed by the SSP, after which the SSP would escalate certain alerts to RRD’s internal cybersecurity personnel. Despite what the SEC characterized as a high volume and complexity of alerts that the SSP was responsible for reviewing, the SEC alleged that RRD did not reasonably manage the SSP’s allocation of resources. For example, in its contract and communications with the SSP, the SEC noted that RRD failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts. The SEC also alleged RRD did not have sufficient procedures to audit or otherwise oversee the SSP in order to confirm the SSP’s review and escalation of alerts were consistent with RRD’s instructions. Despite the high volume and complexity of alerts the SSP escalated to RRD, the SEC noted that RRD personnel responsible for reviewing and responding to escalated alerts had significant other job responsibilities, resulting in “insufficient time to dedicate to the escalated alerts and general threat-hunting in RRD’s environment.” According to the SEC, RRD’s “internal policies governing its personnel’s review of cybersecurity alerts and incident response also failed to sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting.”

As a result of this conduct, the SEC determined that RRD violated two key provisions of the federal securities laws:

• Section 13(b)(2)(B) of the Securities Exchange Act of 1934, which requires public companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets is permitted only in accordance with management’s general or specific authorization; and
• Exchange Act Rule 13a-15(a), which requires public companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in reports it files with the SEC is recorded, processed, summarized and reported within the time periods specified in the Commission’s rules and forms.

Central to these charges is the SEC’s determination that RRD’s information technology systems and networks constituted an asset of the company. Two of the five SEC commissioners dissented from the action, and took particular issue with the majority’s “expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).” By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the dissenting commissioners argued that the SEC’s order ignores the distinction between internal accounting controls and broader administrative controls.

The SEC noted that its decision to accept the settlement took into consideration RRD’s cooperation with the investigation and remedial actions, including reporting the ransomware attack to the SEC prior to disclosing it to investors, revising incident response policies and procedures, adopting new cybersecurity technology and controls, updating employee training, and increasing cybersecurity personnel headcount.

The enforcement action is the latest of many in which the SEC has pursued disclosure controls or internal controls charges against a public company for perceived shortcomings related to the disclosure of cybersecurity risks and incidents, and is significant for its focus on a company’s oversight of a third-party security service provider.