X

Public Company Settles SEC Charges for Cybersecurity Control Failures

"As this proceeding illustrates, ... [a]ny departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation."
Mark T. Uyeda and Hester M. Peirce, SEC Commissioners
"As this proceeding illustrates, ... [a]ny departure from what the Commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation."
Mark T. Uyeda and Hester M. Peirce, SEC Commissioners

A public company settled SEC charges for failing to maintain effective disclosure controls and procedures and internal accounting controls related to a cybersecurity incident.

According to the Order, the company, a provider of marketing and communications services, handled large amounts of sensitive and confidential data. The SEC said that the company engaged a "third-party managed security services provider" to monitor its network for intrusions and alert the company of suspicious network activity. The SEC found that the company failed to adequately address a "ransomware network intrusion" of which it became aware by, among other things, (i) "tak[ing] the infected instances off the network," (ii) "fail[ing] to conduct its own investigation of the activity, or otherwise take steps to prevent further compromise," and (iii) failing to escalate "alerts related to the same activity, including alerts regarding the same malware being installed or executed on multiple other computers across the network and compromise of a domain controller server, which provided the threat actor with access to and control over a broader sweep of network resources and credentials." The SEC found that as a result of these and other failures, the data of 22,000 clients was stolen by hackers.

The SEC found the company failed to maintain sufficient internal accounting and disclosure controls in violation of Exchange Act Section 13(b)(2)(B) ("Periodical and other reports") and Rule 13a-15(a) ("Controls and procedures").

To settle the charges, the provider agreed to (i) cease and desist from future violations and (ii) pay a civil penalty of $2.125 million

Commissioner Statement

In a joint statement, Commissioners Hester M. Peirce and Mark T. Uyeda criticized the SEC for interpreting a weakness in the company's administrative and cybersecurity practices as a failure of accounting controls. They said the SEC punished the company even though it was the victim of the cyberattack.

Primary Sources

  1. SEC: Order: R.R. Donnelley & Sons Co.
  2. SEC: Statement: Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Hester Peirce , Mark T. Uyeda
Regulated Activities
Data Protection / Cybersecurity Regulatory Reporting
Regulated Entities
Issuers of Securities
Sub-Entity
SEC-Registered Issuers
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC