R.R. Donnelley and Sons given a $2.1m charge amid data security concerns

R.R. Donnelley & Sons Company (RRD) has been at the center of a data security case, a matter of significant regulatory concern, brought forward by the Securities and Exchange Commission (SEC).

The marketing and communications service provider has been charged with internal control failure in relation to a series of 2021 cybersecurity incidents. The investigation was led by Arsen Ablaev of the SEC Crypto Assets and Cyber Unit and Christine S. Bautista of the SEC Chicago Regional Office, underscoring the seriousness of the case.

R.R. Donnelley & Sons in cybersecurity case

R.R. Donnelley’s business is centered around digital standards and cybersecurity. The company has a broad portfolio of public and private sector clients across healthcare, education, legal services, and retail.

So, it would be assumed that a leading name could safeguard sensitive data, but the SEC investigation found the company lacking in many departments. The SEC order found that the company and the third-party contractors hired to build solutions did not have effective disclosure controls and procedures to report relevant cybersecurity information.

As a result, stakeholders and decision-makers at RRD were left unable to make informed decisions on security concerns and breaches in a “timely manner”, highlighting the real-world implications of the company’s data security shortcomings.

“RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “RRD did, however, cooperate with our investigation in a meaningful way, which is reflected in the terms of this settlement.”

RRD cooperates with the SEC

The company received positive feedback for being transparent during the investigation. The SEC report stated that RRD “cooperated throughout the investigation, including by reporting the cybersecurity incident to staff prior to filing a disclosure of the incident, by providing meaningful cooperation that helped expedite the staff’s investigation, and by voluntarily adopting new cybersecurity technology and controls.”

However, RRD was found guilty of breaching Section 13(b)(2)(B) of the Securities Exchange Act (SEA) of 1934 and Exchange Act Rule 13a-15a.

The company did not oppose the SEC’s findings and agreed to pay a civil penalty of $2,125,000. RRD has also stated that it will no longer be in breach of the SEA and hopes to rectify these shortcomings.

msn