On June 18, 2024, the SEC announced charges against R.R. Donnelley & Sons Co. for its alleged failure to maintain adequate internal accounting controls, and failure to maintain adequate disclosure controls and procedures. The charges, which were simultaneously settled pursuant to a cease-and-desist order imposing a $2,125,000 civil penalty, stemmed from RRD’s allegedly inadequate policies and procedures that led to its alleged failure to execute a timely response to a ransomware attack. This action represents the SEC’s latest assertion of authority to punish a company for alleged “controls failures” that do not impact financial reporting or accounting controls, and the second action in which the SEC has alleged that a company victimized in a cyber attack violated the internal accounting controls provision of the Exchange Act.
Read More