Regulatory Update: SEC Enforcement Action Highlights Cybersecurity Governance Failures

August 5, 2024

On June 18, 2024, the Securities and Exchange Commission (SEC) announced that R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, has agreed to pay over $2,100,000 to settle charges related to disclosure and internal control failures concerning cybersecurity incidents.

Key Takeaways from the SEC’s Press Release:

• Insufficient Cybersecurity Controls: the SEC found that RRD’s mechanisms for escalating cybersecurity incidents to management and protecting company assets from cyberattacks were inadequate.

• Disclosure Failures: the SEC stated that RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management, which impaired its ability to make informed disclosure decisions.

• Internal Control Deficiencies: according to the release, the company did not maintain sufficient cybersecurity-related internal accounting controls to ensure that access to its information technology systems and networks was authorized by management.

Regulatory Violations:

• The SEC found that RRD violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (the “Exchange Act”) and Exchange Act Rule 13a-15a. 

• Section 13(b)(2)(B) of the Exchange Act ensures that public companies maintain a sufficient system of internal accounting controls. Exchange Act Rule 13a-15a requires public companies to adopt disclosure controls that ensure information required to be filed with the SEC is recorded, processed, summarized, and reported within the timeframe specified in the SEC’s rules and forms.

Implications for Businesses: This enforcement action highlights the importance of adhering to the SEC’s rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, as well as the need to maintain a robust management and disclosure practice. 

For insights on the SEC’s rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, we invite you to read our article on the rule here – The Securities and Exchange Commission's Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure 

Contact Us: 
For assistance in understanding SEC rules or preparing SEC disclosures, please contact our Corporate and Securities team team at (949) 788-8900 or directly to their email address as follows:

• Lynne Bolduc, Partner (lbolduc@fkbrlegal.com) 

• Josephine Aranda, Senior Associate (jaranda@fkbrlegal.com)

• Ikechukwu Ubaka, Associate (iubaka@fkbrlegal.com)