A business communications and marketing services company agreed to pay more than $2 million to settle charges levied by the Securities and Exchange Commission (SEC) over cybersecurity-related control violations.

Chicago-based R.R. Donnelley & Sons Company (RRD) agreed to cease and desist from further violations in reaching the settlement, the SEC announced in a press release Tuesday. RRD failed to “design effective disclosure controls and procedures to report relevant cybersecurity information to management … and failed to carefully assess and respond to alerts of unusual activity in a timely manner,” the SEC alleged.

The agency acknowledged the firm’s prompt reporting of a ransomware incident to agency staff before public disclosure, cooperation throughout the investigation, and its voluntary adoption of new cybersecurity technology and controls.

The details: Between November 2021 and January 2022, RRD failed to design effective disclosure controls and procedures as defined in Exchange Act rules related to the disclosure of cybersecurity risks and incidents, the SEC alleged in its order.

The firm also failed to “devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets–its information technology systems and networks, which contained sensitive business and client data–was permitted only with management’s authorization,” the order stated.

As a result of these deficiencies, RRD failed to execute a timely response to a ransomware network intrusion, which culminated in encryption of computers, exfiltration of data, and business service disruptions.

Compliance considerations: The SEC said RRD voluntarily revised incident response policies and procedures, adopted new cybersecurity technology and controls, updated employee training, and increased cybersecurity personnel.

Additionally, the firm provided SEC staff with detailed explanations and summaries of specific factual issues at all stages of the staff’s investigation; promptly followed up on several requests from staff without requiring subpoenas, including obtaining information from various employees; provided additional documents; and explained technical cybersecurity issues.

RRD, which did not admit or deny the SEC’s allegations, did not respond to a request for comment.

Jeff Dale is Managing Editor, Editorial Projects and Analytics, at Compliance Week. He previously served as Compliance Week's Digital Editor and has worked as a copy editor at the Boston Herald and city editor at The Hour Publishing Co. in Norwalk, Conn.View full Profile

More from Jeff Dale

Topics