The SEC has announced that R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, agreed to pay over $2.1 million to settle disclosure and internal control failure charges relating to cybersecurity incidents and alerts in late 2021. According to the SEC’s order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security.
However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner. Are your cybersecurity processes robust enough to handle a data breach?