Example of Cyber Disclosure Challenges

Radical Compliance is back from vacation, and what better way to catch up on current compliance issues than an enforcement action over poor cybersecurity? Lucky for us, the Securities and Exchange Commission served up a fresh case just last week on exactly that headache.

The case involves R.R. Donnelley, provider of business marketing services to corporate customers. Donnelley agreed last week to pay $2.1 million to settle civil charges that the company failed to design effective disclosure controls to address cybersecurity incidents, and failed to maintain effective internal accounting controls to protect Donnelley’s assets — which were, let’s remember, the IT systems that Donnelley used to store confidential customer data. 

So what happened? As described in the SEC settlement order, Donnelley suffered a ransomware attack in late November 2021. A cybersecurity vendor that Donnelley used to monitor for such attacks did alert the company that one was underway, but Donnelley’s own IT security team didn’t give the attack much attention for nearly a month. Instead, Donnelley only swung into action when another business alerted Donnelley’s CISO directly about the attack. By then the damage had been done, with Donnelley customer data copied and posted to the dark web.

Compliance and audit professionals have several interesting threads to pull here. Let’s start with the one most widely relevant: this case is yet another example of how the SEC believes disclosure controls and procedures should operate, and how companies still struggle to meet those expectations. 

What Actually Happened Here

Let’s begin with a close read of the facts described in the SEC settlement order. 

Trouble began on Nov. 29, 2021, when attackers penetrated Donnelley’s corporate network. Donnelley’s automated intrusion detection systems quickly discovered the attack and alerted a third-party cybersecurity vendor Donnelley used to help manage its security operations. That vendor reviewed the automated alerts and escalated them to Donnelley’s internal security team. 

Specifically, the vendor warned Donnelley that the malware was detected on multiple Donnelley computers (meaning, the hackers had already gained entry and were moving around the network), and that the malware was known to be used for ransomware attacks and data theft. 

Donnelley’s IT team did review those escalated alerts, but did not remove the infected machines off its network or conduct its own investigation until Dec. 23, 2021. That’s when another company with access to Donnelley’s network alerted  CISO that something fishy was happening with its network. Once the CISO was informed, Donnelley security personnel “conducted a rapid and extensive response operation, including shutting down servers, and notifying clients and federal and state agencies.” 

In other words, Donnelley didn’t scramble the cybersecurity fighter jets until the boss got involved. 

During those intervening four weeks, from when Donnelley was first informed of an intrusion on Nov. 29 until the CISO kicked an incident response plan into overdrive on Dec. 23, the cybersecurity vendor logged at least 20 other alerts on the same malware intrusion, some of them quite serious. None of those new alerts, however, were escalated to Donnelley’s own security team. Meanwhile, that team was overworked with other duties and lumbered along with unclear roles and responsibilities for incident response.

Final result: by the time Donnelley’s CISO intervened, the hackers had already swiped 70 gigabytes of data, including personal and financial data belonging to 29 Donnelley clients.

Problems With Disclosure Controls

One striking element in this case was the disconnect between Donnelley’s security operations and its disclosure operations. That is, Donnelley’s security vendor and even its own internal security team were indeed doing things; they were logging incidents related to the attack and reviewing alerts, even if Donnelley’s overworked internal team was also bogged down in other duties. But no reports of that activity reached the ears of more senior executives, who could have responded with, “Oh crap, we have to disclose this to investors and the feds.” 

So yet again we’re reminded that disclosure controls and procedures really need to work along two dimensions: disclosure outward, from the company to investors; and disclosure upward, from the low-level peons who know what’s really happening to the senior executives responsible for disclosure outward. 

We’ve seen this dynamic in multiple SEC enforcement actions. For example, the agency’s lawsuit against SolarWinds and its CISO cites numerous examples of the company disclosing outward that its cybersecurity processes were great, while the low-level peons were grumbling internally that cybersecurity was a mess. We could say the same for Activision Blizzard’s settlement with the SEC in 2023, where the SEC nailed Activision for telling investors that it took employee retention seriously while those same employees had been complaining about a harassing environment for years. 

The settlement order with Donnelley paints a similarly messy picture. Go back to those 20 alerts that Donnelley’s vendor logged after first informing Donnelley of the attack. One such alert was that hackers had taken over a piece of equipment known as a domain controller server, which gave them sweeping access to Donnelley’s network. An incident like that should have been stapled to the CISO’s forehead with “panic!” scribbled across the top. Instead, the alert went nowhere.

Think of it this way. If low-level peons in the accounting department were warned of a potentially material fraud or embezzlement scheme, and the accounting team then spent a month dithering with that news without informing the CFO or the audit committee — good lord, there would be hell to pay. Nobody would question the SEC roasting that company for poor disclosure processes. 

Now we see those same challenges in the even more complicated world of corporate cybersecurity. As the settlement order put it, Donnelley’s cybersecurity procedures and controls “were not designed to ensure all relevant information relating to alerts and incidents was reported to [Donnelley’s] disclosure decision-makers in a timely manner, and did not provide guidance regarding the personnel responsible for reporting such information to management.” 

That’s what internal control teams need to figure out now.

Developing Better Processes

The question, of course, is how internal control teams figure out the appropriate disclosure controls and procedures, especially for something as complicated as cybersecurity risk. The issue cuts across numerous corporate silos, and companies tend to rely on lots of third-party vendors to manage their cybersecurity risks too. All of that needs to be wrestled into a set of robust policies and procedures.

For example, you’ll first need clear definitions of what a material cybersecurity incident is. We’ve addressed that question in these pages before, such as how qualitatively material incidents can be quite difficult to identify

Now consider that point in the Donnelley attack when the hackers penetrated the domain control server. Would that count as a qualitatively material incident? How would IT security people know an event like that is material? Conversely, how would disclosure teams know that breaching a domain control server is a big deal? Each side has the expertise to understand one half of the equation, but not the other. 

Indeed, it’s telling that once Donnelley’s CISO got involved, and everyone finally did grasp the severity of the attack — Donnelly did perform admirably after that. It filed an 8-K disclosure of the attack promptly. It revised its incident response policies and procedures, adopted new cybersecurity technology and controls, improved employee training, and hired more cybersecurity personnel.

The challenge for companies today is to develop all those strong internal reporting and disclosure processes before some specific attack forces your hand. You have extensive regulatory compliance obligations (such as SEC disclosure rules) that make those capabilities reporting; you also have simple risk management imperatives (you don’t want hackers stealing your stuff, period) making them important too.

It’s yet another sign of our brave new cybersecurity-centric world. Compliance, IT security, legal, and internal audit teams will need to figure out a path forward somehow.

Leave a Comment

You must be logged in to post a comment.