A must-read for issuers, the SEC charged R.R. Donnelley & Sons Co. with failure to maintain disclosure controls and procedures and internal accounting controls relating to its cybersecurity practices. While the alleged facts support the company’s failure to timely and appropriately respond to information regarding a 2021 ransomware network intrusion, the asserted connection between the company’s handling of the incident and the securities law violations is concerning as respects the SEC’s hindsight review of the company’s internal incident management practices, including as relates to the company’s use of and reliance on its third party security service provider, and associated scope of authority. This dissent from Commissioners Peirce and Uyeda dissects the Order in relation to the allegedly erroneous determination of an internal accounting controls-related violation.