The U.S. Securities and Exchange Commission (SEC) has reached a settlement with R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, for over $2.1 million. The settlement addresses allegations of failures in the company’s cybersecurity disclosure and internal controls related to a significant R.R. Donnelley data breach in late 2021.
“The Commission instituted this enforcement action because RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit.
“RRD did, however, cooperate with our investigation in a meaningful way, and that is reflected in the terms of this settlement.”
Background of R.R. Donnelley Data Breach Case
The SEC’s enforcement action, announced on July 18, stems from cybersecurity lapses experienced by RRD, which are said to have compromised critical data integrity and confidentiality. On November 29, 2021, RRD’s third-party managed security services provider (MSSP) escalated three security alerts to the company’s internal security team.
However, the SEC contends that RRD failed to adequately address these alerts and did not conduct its own timely investigation into suspicious activities. The MSSP reportedly reviewed but did not escalate an additional 20 alerts related to the same threat.
It wasn’t until December 23, 2021, that RRD began an active response to the cyberattack, following a warning from a company with shared access to RRD’s network. The investigation revealed that attackers had installed encryption software on RRD computers and exfiltrated 70 gigabytes of data from 29 of its 22,000 clients.
This R.R. Donnelley data breach included sensitive personal and financial information. RRD made public disclosures about the incident beginning on December 27, 2021.
SEC Allegations and Settlement
The SEC’s order accused RRD of violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15(a). The allegations centered on two main areas:
- Failure to Maintain Adequate Disclosure Controls: The SEC claimed that RRD’s controls for reporting cybersecurity incidents were insufficient. Specifically, the company did not have effective procedures for elevating cybersecurity information to management or for responding to and investigating alerts. The SEC also criticized RRD for lacking a prioritization scheme in its incident response plan and failing to oversee its MSSP’s alert management.
- Failure to Implement Internal Controls: The SEC found that RRD did not maintain adequate internal controls to ensure that access to its IT systems was authorized by management. This failure hindered the company’s ability to investigate and remediate the incident effectively.
As part of R.R. Donnelley data breach settlement, RRD agreed to pay a $2,125,000 civil penalty and cease and desist from further violations of these provisions. The company did not admit or deny the SEC’s findings but committed to adopting new cybersecurity technologies and controls.
The SEC noted that RRD’s cooperation during the investigation, including its early reporting of the incident and voluntary enhancements to its cybersecurity measures, was a factor in the settlement terms.
The SEC’s settlement with RRD highlights the importance of maintaining effective disclosure and internal controls related to cybersecurity. As regulatory scrutiny intensifies, companies must ensure that their cybersecurity measures are not only strong but also transparent to management and the public.
The SEC’s investigation and R.R. Donnelley data breach settlement signal a clear message: inadequate handling and reporting of cybersecurity incidents can result in significant financial and reputational repercussions.
