Disclosure Controls and Procedures - Not Just a Quarterly Certification

Bryan Cave Leighton Paisner
Contact

On June 15, 2021, the SEC announced that it had settled charges against First American Financial Corporation for failures in First American’s disclosure controls and procedures.  Rule 13a-15(a) under the Exchange Act requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. 

According to the SEC’s order, in May 2019, company management learned from a journalist that the company was experiencing a cybersecurity vulnerability that had resulted in the inadvertent public availability of customers’ personal data.  First American responded by issuing a statement to the press explaining that the company had learned of a design defect that had resulted in “possible unauthorized access to customer data” and had taken “immediate action to address the situation and shut down external access” to the data.  A few days later, First American issued a press release that was also furnished on Form 8-K.  In the release, the company reported that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.”

Contrary to these disclosures, the SEC found that the vulnerability had exposed sensitive personal data, including social security numbers, in over 800 million images of customer documents for a period dating back to as early as 2003.  The SEC also found that the senior executives of the company who were responsible for the May 2019 disclosures were, when approving such disclosures, lacking certain information necessary for them to assess the magnitude of the risk, as well as First American’s response to the risk.  In particular, the SEC determined that management did not know that the company’s information security personnel had identified the vulnerability several months earlier and had not remediated it as required by the company’s “vulnerability remediation management” policies.    

Based on this conduct, the SEC found that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the company’s cybersecurity vulnerability was analyzed by management in connection with the company’s filings with the SEC.  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.  The chief of the SEC Enforcement Division’s Cyber Unit noted that “[i]issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner
Contact
more
less

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.