On June 14, the Securities and Exchange Commission (SEC) announced a $490,000 settlement with the real estate services provider First American Financial Corporation (First American) for violations of disclosure controls and procedures related to cybersecurity vulnerabilities. Notably, the SEC’s case against First American did not specifically focus on a cyberattack or allege an underlying securities fraud charge, as many of its past cybersecurity enforcement actions have. The First American case signals the SEC Enforcement Division’s continued spotlight on cybersecurity issues and underscores the need for issuers to review and maintain adequate cybersecurity disclosure policies and procedures. We summarize here first some of the Commission’s recent cybersecurity-related enforcement actions and then highlight the First American proceeding.
In February 2018, the SEC issued interpretive guidance on cybersecurity disclosure that emphasized the importance of disclosure controls and procedures and reminded companies and corporate insiders that selective disclosures of material nonpublic information about cybersecurity risks or incidents could implicate concerns under the antifraud provisions of the federal securities laws, including insider trading issues. The guidance – which expanded upon the SEC’s prior guidance from October 2011 – further explained that cybersecurity risks are often material to a company’s business, depending on their nature, extent, and potential magnitude. These risks can harm a company’s reputation, financial performance, and customer and vendor relationships.
In an earlier enforcement action in 2018, the SEC charged employees of the credit rating company Equifax with insider trading relating to a 2017 data breach that exposed the personal information of 143 million Americans. Two Equifax employees who had been given confidential assignments relating to the breach, but without being informed that it was Equifax itself that had been breached, were able to determine that the company was the victim of the cyber incident, and then sold Equifax stock in advance of the company’s public announcement of the breach. Both individuals pled guilty to criminal charges and consented to SEC enforcement judgments, which included permanent injunctions, return of their gains, and in one case an officer and director bar.
In its first cyber-disclosure enforcement action against a public company, the SEC, also in 2018 imposed a $35 million penalty against Altaba, the successor to Yahoo, for alleged misrepresentations regarding what is believed to be one of the largest data breaches in history. According to the SEC, the company’s information security team learned in 2014 of a Russian state-sponsored attack on its systems involving the theft of user account information, including usernames, email addresses, birthdates, telephone numbers, and hashed passwords. The SEC alleged that the extent of the data breach, which involved hundreds of millions of user accounts, was not timely disclosed in the company’s public filings. The SEC noted the company’s periodic disclosures regarding cybersecurity risk stated that the company faced only the risk of potential future data breaches and did not include information regarding liquidity or net revenue consequences related to the breach. The SEC alleged the company violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, which are non-scienter based provisions of the securities laws in that they do not require intentional misstatements; the reporting requirements of Section 13(a) of the Securities Exchange Act of 1934; and additional reporting, controls, and procedures regulations under Rules 12b-20, 13a-1, 13a-11, and 13a-15. The company agreed to settle with the SEC, without admitting or denying the allegations.
That same year, the SEC entered into a consent agreement with Voya Financial Advisors in which Voya agreed to pay a $1 million fine for violating the Safeguards Rule (Rule 30(a) of Regulation S-P) and the Theft Red Flags Rule (Rule 201 of Regulation S-ID), a rule designed to protect customers from the risk of identity theft. It was the first time that the SEC had used the Theft Red Flags Rule in connection with a cybersecurity breach. The Commission alleged that Voya did not have adequate procedures in place to identify and detect business-specific identity theft red flags or to prevent and mitigate harm.
While these actions involved companies’ alleged failures to identify and adequately disclose cybersecurity risks, they did not focus specifically on a company’s failure to maintain adequate disclosure controls and procedures for ensuring that senior officials are made aware of cybersecurity risks.
First American Action
In March 2019, real estate services provider First American announced in a press release that it had just learned of cybersecurity vulnerabilities relating to millions of documents containing personal information. However, according to the SEC, the company’s cyber team had identified the problem months earlier in January 2019.
Among other things, First American provides closing and escrow services and issues title insurance on residential and commercial properties. As part of its business, the company collected Social Security numbers, financial data and other nonpublic personal information. By May 2019, the firm held 800 million documents containing personal information. In a security flaw, the system for maintaining and transmitting these materials allowed a user to change the digits of a URL generated as part of a package containing the data to access other materials. The firm’s cybersecurity team identified this vulnerability in January 2019 and called for it to be addressed by May of that year.
The company’s CEO, CIO and chief information security officer were not made aware of these facts until a journalist asked the company about its cybersecurity risks in May. First American then issued a press release, filed on Form 8K, stating that the company learned about the flaw and “took immediate action to address the situation and shut down external access to the application.”
The SEC charged First American with violating Rule 13a-15(a), alleging a failure to maintain adequate disclosure controls and procedures. The chief of the SEC Enforcement Division’s Cyber Unit, Kristina Littman, explained, “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” Demonstrating the Commission’s emphasis on implementing effective controls around cybersecurity vulnerabilities, the SEC contended that the company’s disclosure controls were inadequate because they did not bring cybersecurity risks to the attention of senior management.
The action underscores the need for issuers to evaluate their disclosure controls to ensure adequate coordination among information technology professionals, legal and senior operating management and that such controls are ultimately properly overseen by the board.