Cybersecurity Is Now a CFO’s Problem—And the SEC Is Watching

Written By Lynne Smelser

For years, cybersecurity has been considered an IT issue, a compliance concern, or a risk management discussion. But in 2024, the Securities and Exchange Commission (SEC) made one thing clear:

Cybersecurity failures are now a financial and regulatory liability. 

Their enforcement action against RR Donnelley (RRD) wasn’t just about a breach. It was about how the company failed to escalate, document, and disclose the incident properly. The SEC classified RRD’s IT systems as financial assets—and penalized the company for failing to maintain adequate internal accounting controls over them. 

This ruling is a game-changer for both CFOs and vCSOs. If cybersecurity is now an accounting issue, CFOs and executive leadership must be actively involved in security oversight. That means cyber risk is no longer just about preventing breaches—it’s about proving to regulators, insurers, and investors that your business can withstand them. 

Let’s break down what happened with RR Donnelley and what every CFO needs to do next. 

The RR Donnelley Case: A Breach That Became a Regulatory Nightmare 

A Cyber Incident That Should Have Been Contained 

Like many organizations, RRD relied on a Managed Security Services Provider (MSSP) to help monitor and manage cybersecurity threats. Their intrusion detection systems were set up to flag suspicious activity, sending alerts that were visible to both the MSSP and RRD’s internal cybersecurity team. 

The MSSP’s role? Filter out false alarms and escalate legitimate threats. 

In November 2021, the MSSP received and reviewed over 20 security alerts from RRD’s detection systems. Three of these alerts were escalated to RRD, flagging suspicious network activity linked to a potential phishing campaign. 

And what did RRD do? 

Nothing. 

The company failed to investigate, contain, or escalate the incident internally. No systems were taken offline, no further actions were taken to prevent a breach, and no executives were informed. 

By the time RRD finally responded on December 23, 2021, attackers had already exfiltrated 70GB of sensitive client data—including financial and personally identifiable information (PII) from 29 clients. 

What the SEC Penalized RRD For 

RRD settled with the SEC for $2.125 million over two key failures: 

  1. Lack of Proper Disclosure Controls 

  1. RRD failed to escalate security alerts internally, leaving executive leadership uninformed. 

  1. The company lacked a clear workflow for incident response, leading to delays in decision-making and public disclosure. 

  1. Weak Internal Cybersecurity Controls 

  1. RRD failed to restrict unauthorized access to critical IT systems. 

  1. No structured process for auditing their MSSP, allowing critical alerts to go unreviewed. 

 

This case wasn’t just about security failures—it was about governance failures. The SEC didn’t just see a cyber breach; they saw a breakdown in financial and operational oversight. 

What This Means for CFOs & Executive Leadership 

This case sets a dangerous precedent. If the SEC can classify IT systems as financial assets, what’s next? Could a failed security update be labeled an accounting failure? Could a breach trigger an SEC investigation into financial controls? 

The reality is you don’t get to decide how the SEC interprets your security practices—they do.

 

Cybersecurity and Financial Controls Are Now Intertwined 

  • If your security failures lead to a breach, the SEC can now argue that your financial controls were insufficient. 

  • Companies must demonstrate proof that security risks are actively managed and reported—just like financial risks. 

  • Documentation isn’t optional. If you can’t prove that security measures were in place and enforced, your organization is exposed to regulatory scrutiny, legal action, and insurance claim denials. 

 

The CFO’s Role in Cyber Oversight 

Cyber risk is no longer just a conversation between IT and security teams. CFOs and finance leaders must now ensure cybersecurity aligns with financial controls, corporate governance, and regulatory compliance. 

Here’s what every CFO should be doing now:
 

1. Get a Third-Party Cybersecurity Assessment—Now 

Internal security teams cannot objectively assess their own vulnerabilities. RRD’s case proves that organizations don’t know what they don’t know—until it’s too late. 

A third-party cybersecurity assessment provides: 

  • An unbiased evaluation of your company’s security gaps. 

  • Documentation of proactive risk management—critical for SEC audits and cyber insurance claims. 

  • Actionable steps to align security efforts with financial controls and compliance expectations. 
     

If your security posture hasn’t been independently verified, you’re already behind. 

2. Align Cybersecurity with Financial Controls 

If the SEC is treating IT systems as financial assets, then CFOs need visibility into cyber risk, just like they do with cash flow, investments, and balance sheets. 

Steps to take now: 

  • Establish formal reporting structures between the security team, finance team, and executive leadership. 

  • Map cybersecurity risks to financial risks to quantify potential impacts on revenue, operations, and regulatory exposure. 

  • Ensure cyber risks are included in financial audits—just like fraud and compliance risks. 

 

3. Documentation Is Your Best Defense Against Regulators 

In the wake of a breach, the SEC, insurers, and legal teams won’t just ask, “What security measures were in place?” 

They’ll ask, “Where’s the proof?” 

Without documentation, your company has no defense. 

What to document: 

  • Incident response playbooks that define clear escalation procedures and accountability. 

  • Audit trails of security controls, patches, and access management. 

  • Regular penetration tests and risk assessments conducted by independent cybersecurity firms. 

  • Evidence of compliance with regulatory and cyber insurance requirements. 
     

If it isn’t documented, it didn’t happen. 

4. Ensure Your Cyber Policies Meet SEC & Insurance Expectations 

The FTC Safeguards Rule, SEC cyber disclosure regulations, and evolving cyber insurance underwriting standards all require clear, enforceable cybersecurity policies. 

CFOs should ensure: 

  • Policies meet current regulatory and insurance standards. 

  • Cyber liability insurance covers emerging threats and regulatory actions. 

  • Security budgets align with actual risk—not just IT wish lists. 

If you’re unsure whether your current policies hold up, fix them now. 

Bottom Line: The SEC Has Changed the Game 

Cybersecurity isn’t just about preventing breaches anymore. It’s about protecting your company from regulatory action, financial penalties, and legal exposure. 

Companies can survive in this new era of enforcement if they: 

  • Document everything 

  • Escalate risks properly 

  • Validate their security with independent cybersecurity assessments 

 

The ones that don’t? They won’t. Because when an attack happens, the SEC won’t just ask, “How did this happen?” They’ll ask, “Where’s the evidence that you were managing it?” 

If you don’t have an answer, well, you have a problem. 

Lynne Smelser
Next

The Golden Rule of vCSO Communication: Visibility