Gå offline med appen Player FM !
Deep Dive into the SEC's Settlement with R&R Donnelly on Cybersecurity Controls
Manage episode 432539894 series 3521257
How does the SEC's recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents? In this episode of Corruption, Crime, and Compliance, Michael Volkow discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack. The SEC's decision marks the first time it applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.
The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.
You’ll hear him talk about:
- The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
- The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
- The SEC's critique of RRD's internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
- The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlighting the need for specific guidance on reasonable cybersecurity controls.
Resources:
341 episoder
Manage episode 432539894 series 3521257
How does the SEC's recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents? In this episode of Corruption, Crime, and Compliance, Michael Volkow discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack. The SEC's decision marks the first time it applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.
The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.
You’ll hear him talk about:
- The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
- The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
- The SEC's critique of RRD's internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
- The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlighting the need for specific guidance on reasonable cybersecurity controls.
Resources:
341 episoder
Alla avsnitt
×Välkommen till Player FM
Player FM scannar webben för högkvalitativa podcasts för dig att njuta av nu direkt. Den är den bästa podcast-appen och den fungerar med Android, Iphone och webben. Bli medlem för att synka prenumerationer mellan enheter.