SEC Fines Publicly Traded Company $2.125 Million For Negligence Before, During, and After a Ransomware Attack



Cybersecurity SpendAccording to the filing, the organization in question failed to devise controls to adequately detect, respond to, and disclose an attack that included data exfiltration and service disruption.

Back in 2021, R.R. Donnelley & Sons Co. (RRD), a publicly traded global provider of marketing and business communication services, succumbed to a ransomware attack that resulted in the successful encryption of their computers, exfiltration of over 70GB of data (which included the personal and financial information for 29 clients), and disruption of RRD's business services.

According to a recent filing by the SEC late last month, RRD “failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021 and December 23, 2021.” Over 20 alerts were generated by RRD’s managed service provider, but only three were escalated to the internal security team. 

In the filing, the SEC notes a few specific about the negligence on RRD’s part:

  1. The indications that similar activity was taking place on multiple computers;
  2. Connections to a broad phishing campaign; and
  3. Open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code.

Even so, RRD did nothing about the alerts until a month later – when it was too late.

KnowBe4's Data-Driven Defense Evangelist Roger A. Grimes provides this statement, "The SEC has shown increasing likelihood to fine and penalize companies it thinks aren't doing enough to protect customer data and information. In response, there have been three types of organizations. Organizations that are doing more than they need to, such as reporting cybersecurity incidents that don't even meet the materiality requirements, organizations who meet the letter of the law, and those that seem unaware or actively ignoring legal requirements. Customers are paying attention."

The result is a $2.125 million fine by the SEC because of the impact these oversights had on shareholders. The takeaway from this is for organizations to have proper controls and process for the following:

  • Audit and oversight over security service providers
  • Review and escalation of security alerts
  • Design and implement effective disclosure controls

Additionally, given the role of phishing in the attack, I’d add putting controls in place such as security awareness training  to stop phishing and social engineering attacks before users engage with them to enable malware, credential theft, and any other malicious action needed to continue an attack.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.


RanSim

Free downloadable software tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

RanSim gives you a quick look at the effectiveness of your existing network protection. RanSim will test 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the installer and run it
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/ransim



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews