In a significant expansion of internal controls enforcement, the SEC announced a $2.1 million settlement with R.R. Donnelley & Sons Co. (“RRD”) for its handling of a 2021 ransomware attack and resulting disclosure failures.  The settlement represents the SEC’s first application of its internal controls enforcement authority to include cybersecurity policies and procedures.  The SEC’s interpretation represents a significant expansion of its enforcement authority. 

In 2021, RRD suffered a cyber attack in which a threat actor used deceptive hacking techniques to install encryption software on certain computers and exfiltrated 70 Gigabytes of data, including data tied to 29 client, some of which contained personal and financial information. 

In this Episode, Michael Volkov discuses the implications of the SEC’s expansion of internal controls authority to include cybersecurity controls and disclosure procedures.