Since releasing its February 2018 guidance on cybersecurity disclosure, the Securities and Exchange Commission (SEC) has homed in companies with deficient disclosure controls and procedures. Most recently, the SEC settled with real estate services provider First American Financial Corporation (First American) for $490,000. This article will delve into what happened here, and what lessons your business can draw from it.
Facts of the Case: What Happened at First American?
In May 2019, First American announced that it had just learned of a cyber vulnerability that exposed over 800 million title and escrow document images. Many of these images contained sensitive personal information, including social security numbers and financial information.
First American then submitted a Form 8-K to the SEC on May 28, 2019, explaining that senior executives were not alerted to the vulnerability prior to May. However, it was later revealed that First American’s IT team had been aware of the vulnerability since January 2019 but had not yet addressed the issues. It is the failure of the IT team to alert senior management of this information that is in issue in this enforcement action.
This settlement is significant because it is the SEC’s first settled enforcement action that relates to inadequate disclosure controls and procedures.
Cyber-disclosure: What do companies need to do?
The SEC’s cyber disclosure laws only apply to publicly listed companies so you may not need to fear enforcement action from the SEC following a cyber incident. However, there are several lessons that all companies can draw from these circumstances:
You need to have healthy cyber-disclosure processes in place.
Regardless of your company’s size, your senior managers should be confident that their team will alert them to any significant cyber risk – caused by a cyber vulnerability or other event. You should have appropriate policies and processes in place and you should routinely stress test the processes to ensure they work.
You must balance disclosure with keeping cybersecurity efforts secret.
Companies need to learn to balance transparency with investors, customers, and employees with remaining tight-lipped enough about cybersecurity efforts. It’s a fine line to walk. You need to ensure your investors can make informed choices. Yet you don’t want to provide a roadmap for hackers and other malicious actors to your system.
It can be beneficial to admit your mistakes.
While the SEC requires publicly listed companies to amend disclosures that they discover to be untrue or if a material fact has been omitted, any company may benefit from this approach (depending on the circumstances). Trust is important in the current consumer environment and admitting fault (as opposed to having the story ‘break’ elsewhere) can help to retain that trust.
You should seek legal advice to get individual advice if you’re considering voluntarily disclosing a cyber breach.
You should know and understand your risk factors.
The SEC requires companies to disclose cybersecurity risks and/or cybersecurity incidents to investors, as part of their requirement for companies to disclose ‘the most significant factors that make investments in the company’s securities… risky’. This assessment should contemplate past incidents involving third parties, like suppliers, customers, and competitors.
Your business, regardless of industry or size, should be well informed about the type and magnitude of the cyber risk you face. Cybersecurity incidents can be devastating, reputationally and financially, for any business. Developing internal processes that ensure you are alert to evolving cybersecurity risks is now generally considered a minimum standard. You should be sure to have one in place.
If you need assistance navigating cybersecurity risk and compliance, get in touch. We’re here to help.
Alternatively, you can view more guidance on cybersecurity topics in these blog posts:
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.