According to the filing, the organization in question failed to devise controls to adequately detect, respond to, and disclose an attack that included data exfiltration and service disruption.
Back in 2021, R.R. Donnelley & Sons Co. (RRD), a publicly traded global provider of marketing and business communication services, succumbed to a ransomware attack that resulted in the successful encryption of their computers, exfiltration of over 70GB of data (which included the personal and financial information for 29 clients), and disruption of RRD's business services.
According to a recent filing by the SEC late last month, RRD “failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021 and December 23, 2021.” Over 20 alerts were generated by RRD’s managed service provider, but only three were escalated to the internal security team.
In the filing, the SEC notes a few specific about the negligence on RRD’s part:
- The indications that similar activity was taking place on multiple computers;
- Connections to a broad phishing campaign; and
- Open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code.
Even so, RRD did nothing about the alerts until a month later – when it was too late.
KnowBe4's Data-Driven Defense Evangelist Roger A. Grimes provides this statement, "The SEC has shown increasing likelihood to fine and penalize companies it thinks aren't doing enough to protect customer data and information. In response, there have been three types of organizations. Organizations that are doing more than they need to, such as reporting cybersecurity incidents that don't even meet the materiality requirements, organizations who meet the letter of the law, and those that seem unaware or actively ignoring legal requirements. Customers are paying attention."
The result is a $2.125 million fine by the SEC because of the impact these oversights had on shareholders. The takeaway from this is for organizations to have proper controls and process for the following:
- Audit and oversight over security service providers
- Review and escalation of security alerts
- Design and implement effective disclosure controls
Additionally, given the role of phishing in the attack, I’d add putting controls in place such as security awareness training to stop phishing and social engineering attacks before users engage with them to enable malware, credential theft, and any other malicious action needed to continue an attack.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.