R.R. Donnelley Charged with Cybersecurity Control Violations (06/18/24)

The SEC charged R.R. Donnelley & Sons Company with cybersecurity control violations under the Securities Exchange Act of 1934. The firm agreed to pay over $2.1 million for disclosure and internal control failures related to cybersecurity incidents.

Private funds and investment advisers are not subject to the Exchange Act provisions under which this case was brought. However, recent changes for Regulation S-P, proposed cybersecurity risk management rulemaking and regulatory guidance demonstrate that the SEC is similarly concerned that investment advisers adopt, implement, and maintain robust cybersecurity programs and incident response plans.