In 2021, R.R. Donnelley (for us old folks, they used to print phone books for the telephone companies), a global provider of marketing and communications services, was hacked. The ransomware attack encrypted and exfiltrated (stole) 70 gigabytes of data, including data belonging to 29 clients.
The SEC did not fine them for getting hacked. They fined them for having a crappy security program. In the SEC’s words RRD “failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021 and December 23, 2021.”
The SEC says that over 20 alerts were generated by RRD’s managed service provider but only three were escalated to the security team.
Even so, they did nothing about the alerts for a month, which was kind of a bit too late.
What should you do in response to this – and it doesn’t matter whether you are public or not:
The fine of $2.1 million was for internal control failures. The SEC said that RRD cooperated with them which is why the fine is so low.
The SEC said:
RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner. The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.
Whether you are a public company or not (private companies still need to worry about getting sued), designing an effective cybersecurity program is no longer an option. RR Donnelley is not alone in having an ineffective cybersecurity program, but that is not a club that you want to be a member of.
If you need help with yours, please contact us.