Player FM 앱으로 오프라인으로 전환하세요!
Deep Dive into the SEC's Settlement with R&R Donnelly on Cybersecurity Controls
Manage episode 432539894 series 3521257
How does the SEC's recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents? In this episode of Corruption, Crime, and Compliance, Michael Volkow discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack. The SEC's decision marks the first time it applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.
The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.
You’ll hear him talk about:
- The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
- The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
- The SEC's critique of RRD's internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
- The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlighting the need for specific guidance on reasonable cybersecurity controls.
Resources:
341 에피소드
Manage episode 432539894 series 3521257
How does the SEC's recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents? In this episode of Corruption, Crime, and Compliance, Michael Volkow discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack. The SEC's decision marks the first time it applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.
The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.
You’ll hear him talk about:
- The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
- The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
- The SEC's critique of RRD's internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
- The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlighting the need for specific guidance on reasonable cybersecurity controls.
Resources:
341 에피소드
Tüm bölümler
×플레이어 FM에 오신것을 환영합니다!
플레이어 FM은 웹에서 고품질 팟캐스트를 검색하여 지금 바로 즐길 수 있도록 합니다. 최고의 팟캐스트 앱이며 Android, iPhone 및 웹에서도 작동합니다. 장치 간 구독 동기화를 위해 가입하세요.