News & Insights

SEC Applies Broad Scope of Regulation in Cybersecurity-Related Charges Against R.R. Donnelley & Sons

What happened?

On June 18th, 2024, the SEC announced that R.R. Donnelley & Sons (RRD) agreed to pay over $2.1 million to settle disclosure and internal control failure charges relating to cybersecurity incidents and alerts in late 2021. The SEC determined that RRD violated two provisions of the federal securities law that apply to public companies. While the SEC has not yet adopted the Cyber Risk Management Rule that would govern registered investment advisers, firms should take note of this settlement as it is in line with SEC’s seemingly continuous expansion of cyber requirements.

In a SEC press release, Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, stated, “The SEC instituted the enforcement action because RRD’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient.”

The basis for this violation stemmed from the cyberattack RRD incurred in 2021 and its delayed response and inadequate investigation to address the incident. The SEC noted that RRD had an “internal intrusion detection system” in place that issued alerts regarding malware present in their network. RRD’s managed security service provider (“MSSP”) sent alerts to RRD personnel for review. However, due to reliance on its MSSP, RRD did not remove the infected devices from the network or conduct an investigation.

Commissioners Hester M. Peirce and Mark T. Uyeda issued a statement of dissent in response to the SEC’s enforcement action against RRD, saying it “breaks new ground with [the Commission’s] expansive interpretation” of Exchange Act Section 13(b)(2)(B)(iii). Peirce and Uyeda expressed concern that the settlement ignored the important distinction between accounting controls that Section 13(b)(2)(B)(iii) is designed to protect, and other administrative controls governing cybersecurity practices.  Another concern, brought to light by Peirce and Uyeda, is the Commission’s decision to broadly interpret the law to regulate a company that was the victim of an incident: “While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.”

This proceeding serves as a reminder of the potential consequences of a delayed response and inadequate investigation of an incident. Despite the malware in the network being evident to RRD and its third-party managed security services provider (MSSP), the incidents were not promptly addressed, leading to a significant breach in their network security.

What does this mean for me and my firm?

While the proposed cybersecurity risk management rule is not yet adopted, the SEC is demonstrating that it will apply regulation broadly.

If not already in place, firms should firms should implement a wholistic cyber and data security program, including an incident response plan. Under the recently adopted amendments to Regulation S-P, covered institutions will be required to implement an incident response program, comply with a customer notification requirement, adopt policies regarding monitoring service providers, and more.

For firms working to implement the required changes under Amended Regulation S-P, an incident response plan is a good place to start. As seen with RRD, establishing a thorough incident response program is essential to support a firm in protecting sensitive client information.

Still have questions? Let us know and one of our regulatory experts will be in touch.