
In June 2024, the U.S. Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Co. (RRD) for cybersecurity-related failures that occurred between November 2021 and January 2022. The SEC’s investigation revealed that RRD violated several key provisions of the Securities Exchange Act of 1934 by failing to establish proper disclosure controls and cybersecurity-related internal accounting controls. These failures resulted in RRD’s delayed response to a ransomware intrusion that exposed sensitive business and client data.
Key Findings:
- Inadequate Cybersecurity and Disclosure Controls:
- During the Relevant Period (November 2021 – January 2022), RRD failed to implement effective cybersecurity procedures and internal controls. As a company storing large volumes of sensitive data, including confidential client information, these failures had significant consequences.
- RRD did not have adequate measures in place to detect and respond to potential cybersecurity threats. Specifically, the company failed to prioritize and address alerts related to a ransomware attack that ultimately compromised its network.
- 2021 Ransomware Incident:
- Between November 29 and December 23, 2021, RRD’s systems detected malware in its network, issuing numerous alerts. However, the company’s third-party cybersecurity provider (MSSP) and internal personnel failed to take sufficient action, allowing the ransomware to spread.
- As a result, attackers encrypted systems, exfiltrated 70 GB of data, and disrupted services. The breach affected 29 clients, some of whose sensitive information, including personal and financial data, was compromised.
- Delayed Response and Poor Incident Management:
- Despite early warnings from the MSSP, RRD did not take immediate steps to mitigate the threat. It wasn’t until December 23, 2021 that RRD began actively responding to the attack after being alerted by another company that shared network access.
- The company’s failure to act on alerts in a timely manner led to significant data exposure and operational disruptions.
- Violations of Federal Securities Laws:
- RRD’s inadequate internal controls violated Section 13(b)(2)(B) of the Securities Exchange Act, which requires issuers to maintain sufficient internal accounting controls to protect assets.
- Additionally, the company violated Rule 13a-15(a) by failing to maintain disclosure controls to ensure timely reporting of cybersecurity risks and incidents.
SEC Sanctions:
As part of the settlement, RRD agreed to:
- Cease-and-desist from committing future violations of the Exchange Act’s provisions related to internal controls and disclosure procedures.
- Pay a $2.125 million civil penalty to the SEC within 10 days.
- Implement and maintain enhanced cybersecurity measures, including updated incident response policies and employee training programs.
Remedial Actions:
In response to the ransomware attack, RRD cooperated with the SEC and took significant steps to strengthen its cybersecurity framework. These actions included revising incident response procedures, increasing cybersecurity personnel, and adopting new technology to better monitor and respond to security threats.
Conclusion:
This case highlights the growing importance of robust cybersecurity practices and internal controls for businesses managing sensitive client information. The SEC’s enforcement action against R.R. Donnelley & Sons underscores the need for companies to prioritize cybersecurity and ensure that adequate protections are in place to respond quickly to threats, minimizing the risk of data breaches and regulatory violations.
About Michael Rasmussen

Michael Rasmussen is the founder of United Atlantic Legal Services. He is a licensed attorney in Florida and registered solicitor in the United Kingdom. Michael has acted as General Counsel and Chief Compliance Officer to several investment advisers, including private fund managers, responsible for the management of billions of dollars in client assets.
Michael is also the founder of FinProLaw, an online learning platform where Michael has created courses designed for investment adviser compliance professionals. These courses include:
- Investment Adviser Compliance Essential for Chief Compliance Officers
- Foundations of Investment Adviser Compliance
- What is a “Security”?
- Investment Adviser Marketing Rule
- Regulation A – Exemption from Registration
- Regulation Crowdfunding – Exemption from Registration
- Regulation D – Exemption from Registration
Michael can also be found on LinkedIn.
Investment adviser firms who are also clients of United Atlantic Legal Services can receive many of these courses at a significantly reduced fee or, in some cases, at no expense. Contact us today or visit the FinProLaw to learn more.