Cyber Enforcement Action Shows Need for Proper Disclosure Controls, Procedures

July 21, 2021

The SEC recently announced settled charges against a real estate settlement services company First American Financial Corporation for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information. Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty. According to the SEC’s order, on the morning of May 24, 2019, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk. In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. The SEC’s order found that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission. In a blog post, lawyers from Davis Polk wrote that the SEC action, among other recent cases, highlights the need for firms to ensure proper internal communications around cyber issues. The lawyers advised that when designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed. “Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”