Aigbe Law Blogs

SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations

Author: Destiny Aigbe

June 20, 2024

INTRODUCTION

In a significant enforcement action, the Securities and Exchange Commission (SEC) announced that R.R. Donnelley & Sons Company (RRD), a global leader in business communication and marketing services, has agreed to pay over $2.1 million to settle charges related to cybersecurity control failures. This action highlights the increasing regulatory focus on cybersecurity and the necessity for companies to implement robust internal controls to protect sensitive data.

CASE OVERVIEW

According to the SEC's order, RRD experienced cybersecurity incidents and alerts in late 2021 that exposed weaknesses in its disclosure and internal control procedures. The SEC's investigation revealed that RRD's controls for elevating cybersecurity incidents to management and protecting company assets from cyberattacks were insufficient.

KEY FINDINGS

  1. Disclosure and Internal Control Failures: The SEC found that RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management responsible for making disclosure decisions. Additionally, RRD did not adequately assess and respond to alerts of unusual activity in a timely manner.
  2. Cybersecurity-Related Internal Accounting Controls: RRD failed to maintain a system of cybersecurity-related internal accounting controls that could provide reasonable assurances that access to its information technology systems and networks was authorized by management.
  3. Violations: The SEC's order determined that RRD violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. These provisions require companies to devise and maintain adequate internal control systems and disclosure procedures.

SETTLEMENT AND COOPERATION

Without admitting or denying the SEC’s findings, RRD agreed to cease and desist from committing violations of these provisions and to pay a $2,125,000 civil penalty. The SEC acknowledged RRD’s meaningful cooperation during the investigation, including reporting the cybersecurity incident to the SEC staff before filing a formal disclosure and voluntarily adopting new cybersecurity technology and controls.

Regulatory Implications

This case underscores the importance of robust cybersecurity measures and the regulatory expectations for companies to protect their data integrity and confidentiality. The SEC's Acting Chief of the Crypto Assets and Cyber Unit, Jorge G. Tenreiro, emphasized that insufficient controls for elevating cybersecurity incidents and protecting company assets from cyberattacks will result in enforcement actions.

CONCLUSION

The RRD case serves as a critical reminder for companies to regularly review and strengthen their cybersecurity-related controls and disclosure procedures. As cyber threats continue to evolve, regulatory scrutiny will likely increase, making it imperative for companies to stay vigilant and proactive in their cybersecurity efforts.

About the Author

Destiny Aigbe

Managing Partner

Aigbe Law PLLC | Dark Alpha Capital

A Corporate and Securities Law Firm

With a robust foundation in law and finance, Destiny Aigbe has carved a distinguished career, underpinned by his pivotal role in orchestrating and managing complex transactions that have propelled companies to significant growth and market prominence. As a seasoned attorney and strategic advisor, Destiny has been instrumental in facilitating over $75 million in capital raises, demonstrating a keen acumen for securing funding and fostering investor confidence.

Destiny's leadership in the execution of six successful public listings, through meticulously structured reverse mergers and registration statements, showcases his adeptness in navigating the intricacies of the public markets and his capacity to guide companies through transformative growth phases. His involvement in five mergers as an operator further illustrates his versatile skill set, extending beyond legal expertise to include hands-on management and operational strategy, though these ventures did not involve funding.

Destiny's professional journey is marked by a commitment to excellence and a diverse range of experiences, from representing a wide spectrum of clients including public and private companies, and investment firms, to holding significant roles within the US government. His tenure with the US Department of State and the National Institutes of Health highlights his adaptability and his contribution to the advancement of entrepreneurial ventures in sectors like biotechnology and nanotechnology through strategic funding initiatives.

An alumnus of Vanderbilt University Law School, Destiny focused on Finance and Mergers & Acquisitions, further honing his expertise with a certificate in Law and Business. His foundational education in Finance was obtained with honors from the University of Maryland's Robert H. Smith School of Business, which laid the groundwork for his subsequent achievements in investment banking and legal practice.

Residing in the Washington, D.C. area, Destiny Aigbe continues to leverage his extensive experience and insightful leadership to drive innovation, growth, and success for his clients and the ventures he is involved with.

© Aigbe Law, PLLC

Categories

Securities LawGoing PublicBanking and FinancePublic FinanceForeign Direct InvestmentUplistingIntellectual PropertyCorporate TaxInterviewsLitigationInitial Public Offerings (IPOs)Industry InsightsUS Export ControlsBitcoinArtificial IntelligenceCybersecurityPatentReal EstateCorporate SecuritiesAdministrative LawWhite Collar DefenseMergers and Acquistions