{"id":7482,"date":"2024-07-17T10:54:54","date_gmt":"2024-07-17T14:54:54","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=7482"},"modified":"2024-07-17T10:54:59","modified_gmt":"2024-07-17T14:54:59","slug":"yet-another-cybersecurity-enforcement-action","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/yet-another-cybersecurity-enforcement-action\/","title":{"rendered":"Yet Another Cybersecurity Enforcement Action"},"content":{"rendered":"\n<p>On June 18, 2024, the SEC&nbsp;<a href=\"https:\/\/www.sec.gov\/news\/press-release\/2024-75\">announced<\/a>&nbsp;a settled enforcement action against R.R. Donnelly &amp; Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.&nbsp;&nbsp;As you can read in the related&nbsp;<a href=\"https:\/\/www.sec.gov\/files\/litigation\/admin\/2024\/34-100365.pdf\">Order<\/a>, the company used an outside service provider to help monitor cybersecurity matters.&nbsp;&nbsp;The service provider notified the company\u2019s security personnel about a \u201cnetwork ransomware intrusion.\u201d&nbsp;&nbsp;Based in part on input from the service provider, R.R. Donnelly did not take further action or conduct a deeper investigation.&nbsp;&nbsp;In this case the SEC maintains that R.R. Donnelly did not maintain effective ICFR related to cybersecurity risk because the company did not have appropriate controls to respond to these warnings.&nbsp;&nbsp;In addition, the Order maintains that the company\u2019s disclosure controls and procedures did not appropriately inform management responsible for making disclosure decisions about cybersecurity incidents.<\/p>\n\n\n\n<p>The company, which cooperated with the SEC in the investigation, entered into a cease-and-desist order and paid a $2.125 million civil penalty.<\/p>\n\n\n\n<p>In reaction to this enforcement, Commissioners Hester M. Peirce and Mark T. Uyeda gave a Statement titled \u201c<a href=\"https:\/\/www.sec.gov\/newsroom\/speeches-statements\/peirce-uyeda-statement-rr-donnelley-061824\">Hey, look, there\u2019s a hoof cleaner! Statement on R.R. Donnelley &amp; Sons, Co.<\/a>,\u201d which provides an interesting discussion of administrative versus accounting controls related to cybersecurity issues.<\/p>\n\n\n\n<p>You can read about earlier cybersecurity related enforcement actions in&nbsp;<a href=\"https:\/\/seciblog.pli.edu\/cybersecurity-enforcement-and-chief-information-security-officers\/\">this post<\/a>&nbsp;which involves a CISO and&nbsp;<a href=\"https:\/\/seciblog.pli.edu\/yet-another-cybersecurity-disclosure-enforcement-case\/\">this post<\/a>&nbsp;which also mentions disclosure controls and procedures.<\/p>\n\n\n\n<p>As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On June 18, 2024, the SEC&nbsp;announced&nbsp;a settled enforcement action against R.R. Donnelly &amp; Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.&nbsp;&nbsp;As you can read in the related&nbsp;Order, the company used an outside service provider to help monitor cybersecurity matters.&nbsp;&nbsp;The service provider notified the company\u2019s security personnel about a &hellip; <a href=\"https:\/\/seciblog.pli.edu\/index.php\/yet-another-cybersecurity-enforcement-action\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Yet Another Cybersecurity Enforcement Action<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false},"categories":[261,143],"tags":[],"coauthors":[154],"class_list":["post-7482","post","type-post","status-publish","format-standard","hentry","category-enforcement","category-hot-topic"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/7482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=7482"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/7482\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=7482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=7482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=7482"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=7482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}