On 18 June 2024, the US Securities and Exchange Commission announced a $2.125 million settlement with R.R. Donnelley & Sons Co., a leading provider of business communications and marketing services, due to cybersecurity-related violations. The settlement addressed the company’s oversight failures regarding its third-party managed security services provider (MSSP) during a significant cybersecurity incident in late 2021.
Key Points:
- Background: R.R. Donnelley, headquartered in Chicago, provides global business communication services. It stores and transmits sensitive data for a variety of clients, including SEC-registered firms and financial institutions.
- Third-Party Management Failure: The SEC found that Donnelley failed to adequately manage and supervise its third-party managed security services provider, which was responsible for monitoring cybersecurity alerts. This lack of oversight led to significant delays in response to critical alerts, ultimately resulting in a ransomware attack that compromised 70 GB of client data.
- Legal Findings: The company was charged with violating Section 13(b)(2)(B) of the Securities Exchange Act and Exchange Act Rule 13a-15(a), both of which mandate robust internal controls and proper disclosure of cybersecurity risks.
- Settlement and Cooperation: R.R. Donnelley cooperated with the SEC investigation by promptly adopting new cybersecurity measures, revising internal procedures, and increasing cybersecurity staffing. This cooperation influenced the settlement terms, which reflected their proactive remedial actions.
👉 Read the press release here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
