720-891-1663

Return to client alerts

SEC Fines R.R. Donnelley $2 Mil for Cybersecurity Failings

In 2021, R.R. Donnelley (for us old folks, they used to print phone books for the telephone companies), a global provider of marketing and communications services, was hacked. The ransomware attack encrypted and exfiltrated (stole) 70 gigabytes of data, including data belonging to 29 clients.

The SEC did not fine them for getting hacked. They fined them for having a crappy security program. In the SEC’s words RRD “failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021 and December 23, 2021.”

The SEC says that over 20 alerts were generated by RRD’s managed service provider but only three were escalated to the security team.

Even so, they did nothing about the alerts for a month, which was kind of a bit too late.

What should you do in response to this – and it doesn’t matter whether you are public or not:

  1. Review your external service providers and make sure they are doing what they should be doing. If only 3 out of 20 alerts were escalated, why was that? Did the MSP have a protocol to follow up on the alerts?
  2. What is the internal process for escalating, reviewing and managing security alerts?
  3. Design and implement effective disclosure processes

The fine of $2.1 million was for internal control failures. The SEC said that RRD cooperated with them which is why the fine is so low.

The SEC said:

Whether you are a public company or not (private companies still need to worry about getting sued), designing an effective cybersecurity program is no longer an option. RR Donnelley is not alone in having an ineffective cybersecurity program, but that is not a club that you want to be a member of.

If you need help with yours, please contact us.

Credit KnowBe4 and US SEC