R.R. Donnelley & Sons Company (RRD) has agreed to pay over $2.1 million to settle charges related to cybersecurity disclosure and internal control failures. The Securities and Exchange Commission (SEC) found that RRD’s systems for managing and reporting cybersecurity incidents were inadequate, particularly concerning the company’s ability to elevate issues to management and protect its assets from cyberattacks.
The SEC’s investigation revealed that RRD failed to implement effective disclosure controls and procedures for reporting cybersecurity information. The company did not respond promptly to alerts about unusual activity and lacked sufficient internal accounting controls to ensure that access to its IT systems was properly managed. This lapse in controls resulted in the violation of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a.
Despite the deficiencies, the SEC acknowledged RRD’s cooperation throughout the investigation. The company reported the incident to staff before making a formal disclosure, assisted in expediting the investigation, and adopted new cybersecurity measures. The settlement reflects both the company’s cooperation and the seriousness of the cybersecurity failures.
The SEC’s investigation was led by Arsen Ablaev and Christine S. Bautista, with support from Kathleen Sweeney and Christopher Carpenter. The case highlights the importance of robust cybersecurity controls and timely disclosure of breaches, reinforcing the SEC’s commitment to holding companies accountable for failing to protect sensitive information.
Reference:
