SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned
On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.1 Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty (Order). This resolution highlights the SEC’s continued focus on cybersecurity. The SEC is considering enhancing its disclosure rules concerning cybersecurity risk governance and has indicated a target release date of October 2021.2
In September 2017, then-SEC Chairman Jay Clayton issued a public statement that provided an overview of the SEC’s approach to cybersecurity and underscored it as a priority for the SEC.3 The SEC and its staff followed the September 2017 statement with various cybersecurity-related initiatives and guidance, including January 27, 2020, cybersecurity guidance and observations published by the SEC’s Division of Examinations (formerly Office of Compliance Inspections and Examinations).4
In the Order, the SEC alleges that First American’s disclosures concerning the vulnerability were deficient because senior executives were not provided all available and relevant information, specifically that First American’s information security personnel had identified and failed to remediate the vulnerability months earlier in January 2019. The Order provides helpful guidance for how the SEC Enforcement Division’s Cyber Unit may enforce the SEC’s interpretative guidance on cybersecurity disclosure requirements and additional lessons about the SEC’s evolving views of cybersecurity disclosures and risk management. Below, we discuss the SEC’s public guidance with respect to cybersecurity and disclosures, the key allegations in the SEC’s Order, and the lessons learned.
I. SEC Statement and Guidance on Public Company Cybersecurity Disclosures
On February 26, 2018, the SEC released its Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the Guidance), which provides guidance on public company disclosure of cybersecurity risks and incidents.5 The Guidance underscores the SEC’s focus on cybersecurity disclosure obligations of public companies and their underlying disclosure controls, procedures, and certifications.6 Specifically, the Guidance states that these controls and procedures should
- enable companies to identify cybersecurity risks and incidents
- assess and analyze their impact on a company’s business
- evaluate the significance associated with such risks and incidents
- provide for open communications between technical experts and disclosure advisers
- make timely disclosures regarding such risks and incidents7
The SEC has continued to focus on cybersecurity issues as evidenced not only by the First American Order but also the agency’s recent risk alerts published by the Division of Examinations concerning cyber-related topics, including ransomware and credential stuffing.8 More recently, on June 11, 2021, the SEC issued its Spring 2021 Regulatory Flexibility Agenda (the Spring 2021 Agenda), which states the agency will consider proposing rule amendments to enhance issuer disclosures regarding cybersecurity risk governance” by October 2021.9
II. Background to the SEC’s Order Against First American
According to the SEC’s Order, First American did not have disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability at issue was analyzed for disclosure — including that security personnel had previously identified, but failed to remediate, the vulnerability at issue.10 The vulnerability arose from an embedded application, where from 2014 to May 24, 2019, a user could alter the digits in a URL to view another document to which the user should not have had access. The Order alleges that this vulnerability exposed over 800 million images dating back to 2003, including sensitive personal data, such as Social Security numbers and financial information.
In response to a journalist’s notification to First American of this vulnerability, on May 24, 2019, First American issued a press statement and, on May 28, 2019, a Form 8-K. These public statements collectively stated, among other things, that “First American has learned of a design defect”; that “[t]he company took immediate action”; that there was “[n]o preliminary indication of large-scale unauthorized access”; and that the defect “created the potential for unauthorized access to customer data.” The Order states that senior executives at First American were not informed that the company’s information security team had known about the vulnerability for months and had failed to remediate it. Further, it alleges that subsequent to the furnishing of the May 28, 2019, Form 8-K, First American’s information security personnel determined that the vulnerability had in fact existed since 2014. The Order asserts that when First American senior executives approved the public disclosures, they lacked certain information to fully assess the company’s cybersecurity responsiveness and the magnitude of the risk from the vulnerability.
III. Lessons Learned From the SEC’s Order
The SEC’s Order provides critical insight for public companies’ disclosure regimes. Specifically, publicly traded companies should consider the following issues as they work to improve their cybersecurity disclosure controls and programs in compliance with the SEC’s Guidance and to address the issues addressed in the SEC’s First American Order.
- Establish Policies and Procedures to Ensure Information About Cybersecurity Risks and Incidents Is Communicated to the Appropriate Disclosure Personnel: The Order alleges that disclosure personnel were not made aware of all relevant facts despite the participation of First American’s chief information security officer (CISO) and chief information officer (CIO) (both of whom had knowledge of the vulnerability and lack of remediation) in discussions concerning the public disclosures at issue. Companies’ internal procedures should ensure that important and material information flows to appropriate disclosure personnel in a timely manner. Additionally, companies should ensure that disclosure committees have representation from all relevant parts of the organization.
- Train Information Security Personnel to Follow Policies and Procedures Concerning the Disclosure of Material Issues: The Order alleges that First American’s CISO and CIO failed to inform the company’s senior executives of their prior knowledge of the vulnerability. Companies should consider implementing training processes to ensure that information security personnel understand cybersecurity disclosure requirements, especially as stated in the Guidance.
- Ensure Proper Implementation and Maintenance of Information Security Policies: According to the Order, First American did not comply with its own vulnerability remediation policy and did not remediate the vulnerability at issue in a timely manner. Companies should regularly assess compliance with current policies and procedures to confirm the effectiveness as adequate controls.
1 SEC Press Release 2021-102, SEC Charges Issuer With Cybersecurity Disclosure Controls Failures (June 15, 2021).
2 See Cybersecurity Risk Governance, 3235-AM89, Securities and Exchange Commission (Spring 2021).
3 See SEC Chairman Jay Clayton, Statement on Cybersecurity (Sept. 20, 2017).
4 See SEC Press Release 2020-20, SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices (Jan. 27, 2020).
5 83 FR 8166 (Feb. 26, 2018). The 2018 Guidance reinforces and expands on the 2011 guidance issued by the staff of the SEC Division of Corporation Finance regarding disclosure obligations regarding cybersecurity risks and cyberincidents. See CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 14, 2011).
6 See Sidley Austin LLP, SEC Issues New Guidance on Cybersecurity Disclosure Requirements, Sidley Austin LLP (Mar. 2, 2018).
7 See Sidley Austin LLP, SEC Issues New Guidance on Cybersecurity Disclosure Requirements, Sidley Austin LLP (Mar. 2, 2018).
8 See, e.g., Cybersecurity: Ransomware Alert, Risk Alert, Office of Compliance Inspections and Examinations (July 10, 2020); Cybersecurity: Safeguarding Client Accounts against Credential Compromise, Risk Alert, Office of Compliance Inspections and Examinations (Sept. 15, 2020).
9 Cybersecurity Risk Governance, Proposed Rule, (announced June 11, 2021) (NPRM expected Oct. 2021).
10 The SEC’s Order is not the first regulatory action against First American related to the cybersecurity vulnerability. On July 21, 2020, the New York State Department of Financial Services (NYDFS) issued a statement of charges and notice of hearing against First American for six violations of the department’s Cybersecurity Requirements for Financial Services Companies. The SEC’s press release in the First American settlement noted the assistance of the NYDFS. See NYDFS press release, Department of Financial Services Announces Cybersecurity Charges Against a Leading Title Insurance Provider For Exposing Millions of Documents with Consumer’s Personal Information (July 22, 2020); In the Matter of First American Title Insurance Company, No. 2020-0030-C (July 21, 2020).