The Securities and Exchange Commission (SEC) issued a new warning to senior executives: what you don’t know can hurt you, especially in the realm of cybersecurity. The SEC recently settled with First American Financial Corporation (First American) in connection with a cybersecurity vulnerability that exposed reams of sensitive customer information. The SEC was not concerned with the breach itself but with First American’s failure to maintain disclosure controls and procedures designed to ensure accurate reporting. Specifically, First American’s information security personnel identified the vulnerability several months earlier, but due to a failure in disclosure controls, senior management was “completely unaware” of the vulnerability and the company’s failure to remediate it. The SEC warns that “[i]ssuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
Cybersecurity Disclosure Controls Failures
On June 15, 2021, the SEC announced settled charges against the real estate settlement services company First American for the disclosure controls and procedures violations. According to the SEC’s order, on the morning of May 24, 2019, a cybersecurity journalist notified First American of a vulnerability in its application for sharing document images that exposed over 800 million images dating back to 2003. The images showed sensitive personal data like social security numbers and financial information.
First American provided the cybersecurity journalist with the following statement, which he included in his article:
First American has learned of a design defect in an application that made possible unauthorized access to customer data. . . . The company took immediate action to address the situation and shut down external access to the application.
On the morning of May 28, 2019, First American filed a Form 8-K, which attached an additional press release representing that there was “[n]o preliminary indication of largescale unauthorized access to customer information.” The press release also stated: "First American Financial Corporation advises that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data."
Unbeknownst to First American’s senior executives responsible for these public statements, a security assessment completed in January 2019 uncovered the defect embedded in the application. Due to a breakdown in communication and controls, senior executives did not learn of the assessment results until after the outreach by the cybersecurity journalist. According to the SEC’s order, these senior executives “lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk” at the time they approved the company’s disclosures. Moreover, the SEC found that First American lacked any disclosure controls or procedures related to cybersecurity, including incidents involving data breaches
The SEC’s order charged First American with violating Rule 13a-15 of the Exchange Act, which requires every issuer of a security registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures. Chief of the SEC Enforcement Division’s Cyber Unit, Kristina Littman, concluded, “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it.” Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.
The SEC brought an Enforcement action against First American even though its senior executives believed its disclosures to be accurate when drafted. The SEC’s order highlights the enhanced focus on cybersecurity governance and the need for accuracy of related risk disclosures.
The increase in remote work during the pandemic has made companies even more vulnerable to cyber-attacks, which can have devastating financial, legal, and reputational consequences. Companies must ensure that when a cyber vulnerability is discovered, they have an effective process for reporting material information up the corporate ladder to those responsible for disclosures, and for ensuring that the vulnerability is fixed. Companies should review their data security policies and incident response plans, as well as their disclosure controls and processes related to cybersecurity, to ensure alignment with operations as the pandemic winds down and the “new normal” sets in. It is imperative to consider implementing new safeguards, training and controls in light of new remote work arrangements and other potential vulnerabilities.