Business leaders and security teams can learn a lot from the recent $2.1 million settlement reached between the Securities and Exchange Commission and R.R. Donnelly & Sons Co. regarding a ransomware assault. The settlement brought RRD's negligence to light and emphasises how crucial it is for publicly listed firms to have robust safety policies and procedures in place.
Here are key takeaways that private and public organisations can use to improve their cybersecurity posture and comply with SEC standards.
RRD ransomware attack overview
RRD is a publicly listed international provider of marketing and corporate communication services. The organisation used a third-party managed security services provider (MSSP) to safeguard and monitor their infrastructure. In late November 2021, RRD's intrusion prevention systems identified odd behaviour and sent notifications to both RRD and their MSSP supplier. Following assessment of these signals, the MSSP opted to escalate three issues to RRD's security personnel.
- Similar behaviours were observed on multiple computers throughout the RRD network, indicating that a threat actor was either making lateral movements or had compromised multiple endpoints.
- Activities had some connection to a larger phishing campaign.
- It was revealed by open-source intelligence that the malware could allow arbitrary code to be executed remotely.
Unfortunately, RRD decided not to remove the compromised devices from the network and did not carry out their own investigation to prevent further compromise until nearly a month later. Between November and December, the MSSP identified at least 20 more security alerts connected to the same incident, but failed to elevate them to RRD, including malware execution on the domain controller.
The attacker then installed encryption software on RRD machines and stole 70 gigabytes of data, including financial and personal data from 29 of RRD's 22,000 clients. RRD eventually launched its ransomware response actions on December 23, 2021, and filed their 8-K on December 27, 2021.
Overview of SEC's findings and judgement
The SEC's filing cites RRD's incompetence in the following areas:
- RRD's policies and controls were not intended to ensure that all relevant information about security alerts and incidents were reported to RRD's disclosure decision makers on a timely basis.
- RRD failed to offer guidance to its internal and external people on reporting safety incidents and responding to them.
- Even though RRD got alerts and escalations from its systems and service provider about three weeks before the encryption, it failed to analyse them and take appropriate investigative and remedial action.
Based on these findings, the SEC claimed that RRD violated the disclosure controls and procedures requirements of Exchange Act Rule 13a-15(a) and the internal accounting controls provisions of Exchange Act Section 13(b)(2)(B). The SEC evaluated a $2.125 million penalty on RRD.
Key takeaways for security teams
The RRD verdict highlights the SEC's tightening grasp on cybersecurity controls and laws. Here are some significant takeaways for security teams in publicly listed companies:
Ensure close oversight of service providers: In your contracts and meetings with MSSPs, be clear about security requirements and adherence to security processes. Streamline the process for increasing notifications. All such contracts, protocols, and processes must be evaluated annually or on a regular basis to ensure that there are no gaps.
Implement effective disclosure processes: RRD was fortunate that the new SEC disclosure standards were not in existence when this incident occurred. If those restrictions had been in effect, they may have faced far more severe fines. The present disclosure requirements compel organisations to file a disclosure (Form 8-K) within four days of the material determination of an incident. As a result, it is vital that organisations adopt rigorous disclosure procedures.
Train your staff: There is a direct correlation between phishing and ransomware. Phishing emails are often successful because busy users are distracted by various jobs and communication channels, making them less vigilant in identifying phishing efforts. The Conti ransomware group, suspected to be responsible for the RRD attack, is known to use normal phishing tactics as an entry point.
Phishing is clearly the result of poor security awareness, judgement, and consciousness among users. Organisations that use phishing simulation exercises and gamification can significantly reduce phishing attacks. Employees should also receive training on security escalation and incident response procedures.
The settlement between the SEC and RRD is a big wake-up call for organisations that have failed to prioritise cybersecurity enforcement and regulatory compliance. It is critical for organisations to actively supervise security providers, periodically train personnel on security awareness practices, update escalation and incident management policies, and prioritise security alerts and notifications. By implementing these key best practices, businesses can assure compliance with the most recent SEC standards while also improving their overall security posture.