SEC Fines R.R. Donnelley & Sons Co. $2.1 Million for Cybersecurity Control Failures

SEC Fines R.R. Donnelley & Sons Co. $2.1 Million for Cybersecurity Control Failures


The Securities and Exchange Commission (SEC) has announced that R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, has agreed to pay over $2.1 million to settle charges related to cybersecurity control failures. The case, however, has ignited a debate about the SEC's interpretation and application of internal accounting controls regulations.

The charges stem from incidents and alerts that occurred in late 2021, which the SEC claims RRD failed to properly address due to insufficient controls for elevating cybersecurity issues to management and protecting company assets from cyberattacks.

Jorge G. Tenreiro, Acting Chief of the SEC's Crypto Assets and Cyber Unit, stated, "The Commission instituted this enforcement action because RRD's controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient."

According to the SEC's order, RRD's business heavily relied on data integrity and confidentiality, with client data stored on the company's network. However, the company allegedly failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management responsible for making disclosure decisions. Additionally, RRD is accused of not responding to alerts of unusual activity in a timely manner.

The SEC found that RRD violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. Without admitting or denying the findings, RRD agreed to cease and desist from committing violations of these provisions and pay a $2,125,000 civil penalty.

Despite the charges, the SEC acknowledged RRD's cooperation throughout the investigation. The company reported the cybersecurity incident to staff prior to filing a disclosure, provided meaningful cooperation that expedited the investigation, and voluntarily adopted new cybersecurity technology and controls.

However, this case has sparked debate about the SEC's interpretation of internal accounting controls. Critics argue that the SEC is stretching the definition of "assets" under Section 13(b)(2)(B)(iii) to include computer systems, which they claim falls outside the traditional scope of internal accounting controls.

The Order states that the "assets" accessed were RRD's "information technology systems and networks." Some experts argue that while these are company assets in a broad sense, they may not fit the category of assets typically covered by Section 13(b)(2)(B)'s internal accounting controls provisions.

Critics point out that the internal accounting controls provision originates from auditing standards focused on safeguarding assets in relation to financial transactions and records. They argue that computer systems, while processing transactions, are not themselves the subject of corporate transactions in the way that the provision was originally intended to address.

This case raises questions about the distinction between administrative controls and accounting controls, and whether the SEC is broadening its regulatory scope by treating cybersecurity practices as falling under internal accounting controls.

The SEC's approach in this case could have significant implications for public companies' cybersecurity practices. It suggests that the Commission may use Section 13(b)(2)(B) as a tool to indirectly regulate cybersecurity measures, potentially contradicting assurances made during recent cyber-disclosure rule-making.

This case underscores the SEC's ongoing focus on cybersecurity practices in public companies and the importance of maintaining robust controls and disclosure procedures related to cybersecurity incidents. However, it also highlights the evolving nature of regulatory interpretation in the face of new technological challenges and the potential for debate over the appropriate scope of existing regulations.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.