SEC orders R.R. Donnelley to pay $2.1M over cyber-related control violations

Posted by Peter Tolan 2 years Ago

 

Chicago-based R.R. Donnelley & Sons Company (RRD), a business communications and marketing services firm, has agreed to a settlement exceeding $2 million with the Securities and Exchange Commission (SEC) to resolve charges related to cybersecurity control violations.

In a press release issued on Tuesday, the SEC announced that RRD has consented to a cease and desist order to prevent future violations. The SEC alleged that RRD failed to establish effective disclosure controls and procedures for reporting pertinent cybersecurity information to management. Furthermore, the company purportedly did not adequately evaluate and respond promptly to alerts of unusual activities.

The SEC recognized RRD’s prompt reporting of a ransomware incident to agency personnel prior to public disclosure, as well as the company’s cooperation throughout the investigation and voluntary adoption of new cybersecurity technologies and controls.

According to the SEC’s order, between November 2021 and January 2022, RRD allegedly neglected to implement effective disclosure controls and procedures required under Exchange Act rules concerning the disclosure of cybersecurity risks and incidents. The company also allegedly failed to establish and maintain internal accounting controls related to cybersecurity, which would ensure that access to RRD’s IT systems and networks containing sensitive business and client data was authorized only by management.

These shortcomings allegedly contributed to RRD’s delayed response to a ransomware attack on its network, resulting in computer encryption, data exfiltration, and disruptions to business services.

In response to these issues, RRD voluntarily revised its incident response policies and procedures, implemented new cybersecurity technologies, enhanced employee training, and bolstered its cybersecurity team.

Throughout the SEC’s investigation, RRD provided comprehensive explanations and summaries of factual matters to the SEC staff, promptly addressed requests for information, and cooperated without the need for subpoenas.

RRD neither admitted nor denied the SEC’s findings as part of the settlement and did not immediately respond to requests for comment.

Source: complianceweek.com

Peter Tolan
View More Posts
Peter Tolan is a Junior Content Editor for the HIPTHER network, where he has quickly established himself as a versatile voice in the global iGaming and technology sectors. Operating across the network's specialized platforms, Peter leverages a deep understanding of the European and American gaming landscapes to deliver high-impact, B2B intelligence. He is a key contributor to the "Evolution" side of the industry, specializing in the analysis of online gaming trends, the fast-paced world of esports, and the integration of deep-tech innovations. With a sharp eye for emerging technologies, Peter ensures that the HIPTHER community remains at the forefront of the global digital revolution.