Securities Attorney for Going Public Transactions

Securities Lawyer Blog

knowledge itself is power

SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations

Introduction

In a significant enforcement action, the Securities and Exchange Commission (SEC) announced that R.R. Donnelley & Sons Company (RRD), a global leader in business communication and marketing services, has agreed to pay over $2.1 million to settle charges related to cybersecurity control failures. This action highlights the increasing regulatory focus on cybersecurity and the necessity for companies to implement robust internal controls to protect sensitive data.

Case Overview

According to the SEC's order, RRD experienced cybersecurity incidents and alerts in late 2021 that exposed weaknesses in its disclosure and internal control procedures. The SEC's investigation revealed that RRD's controls for elevating cybersecurity incidents to management and protecting company assets from cyberattacks were insufficient.

Key Findings

  1. Disclosure and Internal Control Failures: The SEC found that RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management responsible for making disclosure decisions. Additionally, RRD did not adequately assess and respond to alerts of unusual activity in a timely manner.

  2. Cybersecurity-Related Internal Accounting Controls: RRD failed to maintain a system of cybersecurity-related internal accounting controls that could provide reasonable assurances that access to its information technology systems and networks was authorized by management.

  3. Violations: The SEC's order determined that RRD violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. These provisions require companies to devise and maintain adequate internal control systems and disclosure procedures.

Settlement and Cooperation

Without admitting or denying the SEC’s findings, RRD agreed to cease and desist from committing violations of these provisions and to pay a $2,125,000 civil penalty. The SEC acknowledged RRD’s meaningful cooperation during the investigation, including reporting the cybersecurity incident to the SEC staff before filing a formal disclosure and voluntarily adopting new cybersecurity technology and controls.

Regulatory Implications

This case underscores the importance of robust cybersecurity measures and the regulatory expectations for companies to protect their data integrity and confidentiality. The SEC's Acting Chief of the Crypto Assets and Cyber Unit, Jorge G. Tenreiro, emphasized that insufficient controls for elevating cybersecurity incidents and protecting company assets from cyberattacks will result in enforcement actions.

Conclusion

The RRD case serves as a critical reminder for companies to regularly review and strengthen their cybersecurity-related controls and disclosure procedures. As cyber threats continue to evolve, regulatory scrutiny will likely increase, making it imperative for companies to stay vigilant and proactive in their cybersecurity efforts. Click Here

Gayatri Gupta