SEC Takes Action Against R.R. Donnelley & Sons Co. for Cybersecurity Violations 2024
Washington D.C., June 18, 2024
The Securities and Exchange Commission today announced that R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, agreed to pay over $2.1 million to settle disclosure and internal control failure charges relating to cybersecurity incidents and alerts in late 2021.
Table of Contents
“The Commission instituted this enforcement action because RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “RRD did, however, cooperate with our investigation in a meaningful way, and that is reflected in the terms of this settlement.”
According to the SEC’s order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security.
However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner. The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.
SEC found that R.R. Donnelley & Sons violated rules
The SEC’s order found that RRD violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. Without admitting or denying the SEC’s findings, RRD agreed to cease and desist from committing violations of these provisions and to pay a $2,125,000 civil penalty. As described in the order, RRD cooperated throughout the investigation, including by reporting the cybersecurity incident to staff prior to filing a disclosure of the incident, by providing meaningful cooperation that helped expedite the staff’s investigation, and by voluntarily adopting new cybersecurity technology and controls.
The SEC’s investigation was conducted by Arsen Ablaev of the Crypto Assets and Cyber Unit and Christine S. Bautista of the Chicago Regional Office, with assistance from Kathleen Sweeney and Christopher Carpenter, and was supervised by Amy Flaherty Hartman and Mr. Tenreiro of the Crypto Assets and Cyber Unit.