Key Implications and Practical Cyber Program Lessons From SEC’s R.R. Donnelley Settlement

The SEC’s recent settlement with R.R. Donnelley & Sons includes an aggressive and untested legal interpretation that would give the regulator a free hand to bring more cases based on inadequate cybersecurity practices. The charged violations, which arose from a 2021 ransomware attack, expand the definition of “accounting controls” to include cyber practices. Dissenting commissioners warned the interpretation stretches the law too far, and later this summer a court will decide on the approach’s validity in the agency’s SolarWinds case. This article examines four key impacts of the settlement and provides practical cybersecurity program recommendations based on the SEC’s new approach. It includes insights from former regulators at Debevoise & Plimpton, Mayer Brown and Woodruff Sawyer, and defense attorneys at A&O Shearman and Sullivan & Cromwell. See “Current and Former Enforcement Staffs’ Tips for Litigating Against the SEC” (Oct. 18, 2023).

To read the full article

Continue reading your article with a CSLR subscription.