SEC Charges Marketing Service Provider for Cybersecurity Failures

The Securities and Exchange Commission (SEC) reached a settlement with R.R. Donnelley & Sons Company regarding disclosure and internal control failures related to cybersecurity incidents occurring in 2021. Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit noted, “The Commission instituted this enforcement action because RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient.” The SEC alleged that the firm “failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner.” R.R. Donnelly is required to pay $2.1 million as a condition of the settlement. Interestingly, the Commission noted R.R. Donnelly’s cooperation during the investigation is “reflected in the settlement terms.” In their joint dissent, Commissioners Hester Peirce and Mark Uyeda noted that the Commission’s authority in the case rests on a “broad interpretation” of Section 13(b)(2)(B) of the Exchange Act (pertaining to internal accounting controls), which “gives the Commission a hook to regulate public companies’ cybersecurity practices.” R.R. Donnelley & Sons is a marketing and communications company that provides services to certain entities in the fund industry.

Click here to read the SEC’s press release covering the settlement.