SEC orders R.R. Donnelley to pay $2.1M over cyber-related control violations


Chicago-based R.R. Donnelley & Sons Company (RRD), a business communications and marketing services firm, has agreed to a settlement exceeding $2 million with the Securities and Exchange Commission (SEC) to resolve charges related to cybersecurity control violations.

In a press release issued on Tuesday, the SEC announced that RRD has consented to a cease and desist order to prevent future violations. The SEC alleged that RRD failed to establish effective disclosure controls and procedures for reporting pertinent cybersecurity information to management. Furthermore, the company purportedly did not adequately evaluate and respond promptly to alerts of unusual activities.

The SEC recognized RRD’s prompt reporting of a ransomware incident to agency personnel prior to public disclosure, as well as the company’s cooperation throughout the investigation and voluntary adoption of new cybersecurity technologies and controls.

According to the SEC’s order, between November 2021 and January 2022, RRD allegedly neglected to implement effective disclosure controls and procedures required under Exchange Act rules concerning the disclosure of cybersecurity risks and incidents. The company also allegedly failed to establish and maintain internal accounting controls related to cybersecurity, which would ensure that access to RRD’s IT systems and networks containing sensitive business and client data was authorized only by management.

These shortcomings allegedly contributed to RRD’s delayed response to a ransomware attack on its network, resulting in computer encryption, data exfiltration, and disruptions to business services.

In response to these issues, RRD voluntarily revised its incident response policies and procedures, implemented new cybersecurity technologies, enhanced employee training, and bolstered its cybersecurity team.

Throughout the SEC’s investigation, RRD provided comprehensive explanations and summaries of factual matters to the SEC staff, promptly addressed requests for information, and cooperated without the need for subpoenas.

RRD neither admitted nor denied the SEC’s findings as part of the settlement and did not immediately respond to requests for comment.