Settlement Underscores SEC’s Prioritization of Cybersecurity

A recent settlement between R.R. Donnelley & Sons (RRD) and the Securities Exchange Commission (SEC) underscores the agency’s ongoing prioritization of cybersecurity. Akin Gump reports that this case highlights the SEC’s readiness to employ its full regulatory authority, serving as a warning to companies about the importance of robust cyber policies and oversight of third-party security providers under Exchange Act Section 13.

RRD, a marketing and business communications company with SEC-registered clients, faced allegations of mismanaging alerts from its security provider regarding a 2021 ransomware attack. The company stores and transmits confidential client data and uses a third-party managed security service to review and analyze alerts before involving its cybersecurity personnel.

According to the SEC, the ransomware attack occurred between November 29 and December 23, 2021. While the third-party security service alerted RRD’s internal security team, RRD failed to investigate, remove the infection, or take remedial steps. Consequently, the ransomware gang continued to install encryption software and exfiltrate client data.

RRD only began responding on December 23, 2021, after another company with network access alerted RRD’s Chief Information Security Officer to anomalous activity. Subsequently, servers were shut down, and notices were sent to clients and government agencies.

The SEC filing emphasized that the prioritization of cybersecurity for protecting data confidentiality is crucial for RRD’s business, and the company should have had effective disclosure controls and procedures to quickly address cybersecurity incidents and escalate information to decision-makers. RRD’s cooperation was noted as a factor in the settlement.