On June 18, 2024, the SEC announced the settlement of administrative proceedings brought against a marketing and business communications firm for alleged internal accounting control deficiencies that caused the firm’s failure to promptly respond to a ransomware attack that occurred between November 29, 2021 and December 23, 2021, and which involved the unauthorized encryption of the firm’s computers, exfiltration of firm and client data, and business service disruptions. According to the order, the firm received and reviewed network intrusion alerts escalated to it by its third-party managed security services provider, but the firm’s cybersecurity alert review and incident response policies and procedures failed to adequately establish a prioritization scheme and provide clear guidance to internal and external personnel on procedures for responding to such incidents. As a result, the firm did not take the malware-infected instances off its network, investigate the activity, or take other steps to prevent further network compromise until December 23, 2021. Continue Reading SEC Settles Enforcement Proceedings Against Business for Allegedly Insufficient Internal Controls Relating to Cybersecurity Incident