On July 18, 2024, the U.S. Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for over $2.1 million. The settlement resolves allegations of inadequate cybersecurity practices related to a significant data breach that occurred in late 2021. According to the SEC, RRD’s failure to maintain effective controls for elevating cybersecurity incidents to management and protecting company assets contributed to the breach’s impact. The company’s oversight lapses, particularly in its management of security alerts from its third-party security services provider, were central to the SEC’s enforcement action.
The breach, which was initially detected on November 29, 2021, involved RRD’s third-party managed security services provider (MSSP) escalating three security alerts to RRD’s internal security team. However, RRD’s response was deemed insufficient, as the company did not address these alerts promptly or conduct a timely investigation into suspicious activities. The SEC also noted that the MSSP had reviewed but did not escalate an additional 20 alerts, further exacerbating the situation.
It was not until December 23, 2021, that RRD actively responded to the cyberattack, following a warning from a company sharing access to its network. The investigation revealed that attackers had installed encryption software on RRD’s computers and exfiltrated 70 gigabytes of data from 29 of its 22,000 clients. The compromised data included sensitive personal and financial information, leading to public disclosures about the incident starting December 27, 2021.
The SEC’s order accused RRD of violating Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15(a), focusing on two key failures: inadequate disclosure controls and insufficient internal controls. As part of the settlement, RRD agreed to pay a $2,125,000 civil penalty and implement enhanced cybersecurity measures. Although RRD did not admit or deny the SEC’s findings, the company committed to adopting new technologies and controls to prevent future incidents. This settlement underscores the critical importance of robust and transparent cybersecurity practices in the face of increasing regulatory scrutiny.
Reference:
