SEC Files Settled Charges Based on Alleged Cybersecurity-Related Control Deficiencies | The D&O Diary

In any event, well-advised companies seeking to avoid similar conflicts with the agency and trying to maintain adequate and appropriate cybersecurity reporting processes and procedures will want to review the agency’s cease and desist order carefully. In describing the ways in which the agency contends that RRD’s controls were inadequate, the agency inferentially suggests ways that companies’ internal reporting procedures can be improved in order to ensure that incident alerts are elevated and acted upon appropriately.

Whatever else you want to say about the circumstances involved here, there was a lag between the time of the initial alert and the point at which the company responded to the intrusion, and it was during this lag that the data exfiltration took place. Regardless of any question about a possible SEC enforcement action, all companies seeking to protect their data and assets from this kind of intrusion will want to try to take steps to ensure that this kind of lag does not occur in their operations.

Source: SEC Files Settled Charges Based on Alleged Cybersecurity-Related Control Deficiencies | The D&O Diary