June 16, 2021

SEC Settles Charges for Inadequate Cybersecurity Disclosure Controls

Yesterday, the SEC announced that it settled charges against a title insurance company for alleged disclosure controls and procedures violations in connection with a cybersecurity vulnerability. The issue here was that alleged inadequate disclosure controls and procedures resulted in management not having all relevant information about the vulnerability when it assessed the company’s disclosure response and the magnitude of the resulting risk. Although the company’s information security team performed a security assessment of one of its applications and identified the vulnerability, it then allegedly didn’t inform the company’s senior IT management of the vulnerability or remediate it in accordance with company policies until several months later. The SEC’s press release provides a summary:

According to the SEC’s order, on the morning of May 24, 2019, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.  In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019.  However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.  In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies.  The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.

‘As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,’ said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. ‘Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.’

Without admitting or denying the findings in the SEC’s order, First American agreed to cease and desist from violations of Exchange Act Rule 13a-15 and to pay a $487,000 penalty. This action relates to disclosure controls and procedures but the cybersecurity connection is interesting since cybersecurity risk governance is among the items listed in the latest SEC Reg Flex Agenda.

– Lynn Jokela