SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations

The Securities and Exchange Commission today announced that R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, agreed to pay over $2.1 million to settle disclosure and internal control failure charges relating to cybersecurity incidents and alerts in late 2021.

***

According to the SEC’s order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security. However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner. The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.

Source: SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations