Catch of the Week: SEC Cracks Down Again on Cybersecurity Disclosures
This week’s Catch of the Week goes to the Securities and Exchange Commission for its latest settlement involving cybersecurity risks. The SEC charged First American Financial Corporation, an insurance company listed on the New York Stock Exchange, with failing to adequately control for cybersecurity risks. According to the SEC’s Order, a journalist alerted First American that it had a major vulnerability in its “EaglePro” application for electronically sharing sensitive information, including social security numbers and title and escrow-related agreements. The vulnerability exposed over 800 million images dating back more than 15 years.
Although First American promptly disclosed the vulnerability after the journalist’s warning, a subsequent investigation uncovered that security personnel in the company had known about this vulnerability for months and had failed to address it. And due to First American’s inadequate policies and controls, this information did not make it to senior executives even as they prepared a disclosure in response to the journalist’s warnings. As a result, senior management lacked vital information regarding the vulnerability and resulting risk when the company first alerted shareholders to the problem. The SEC alleged that First American’s conduct violated Exchange Act Rule 13a-15(a), which requires issuers to maintain controls and procedures necessary to make timely and accurate disclosures. To resolve the SEC’s charges, First American agreed to pay a $487,616 penalty.
This settlement reflects the SEC’s heightened focus on cybersecurity in recent years. Since 2017, the SEC has maintained a “Cyber Unit” to develop expertise and guide enforcement related to cybersecurity controls at regulated entities, issuer disclosures of cybersecurity incidents and risks, cyber-related manipulations, and frauds involving digital assets, initial coin offerings, and cryptocurrencies. In 2018, the SEC published guidance on how public companies should disclose cybersecurity incidents and risks to investors. And in the same year, Yahoo paid a $35 million SEC penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.
This recent settlement shows that the SEC remains on the lookout for cybersecurity and data-breach violations. Under the SEC whistleblower program, people with knowledge of violations of cybersecurity laws and regulations can receive an award for reporting this information to the SEC. If the SEC collects monetary sanctions of more than $1 million, eligible whistleblowers can receive an award of between 10 percent and 30 percent of the amount collected by the government.
- Blowing the Whistle on Data Breaches and Cybersecurity Flaws
- The SEC Whistleblower Reward Program
- Financial and Investment Fraud
- Cryptocurrency Fraud
- Cisco Whistleblower Represented by Constantine Cannon Wins First-Ever False Claims Act Settlement for Cybersecurity Fraud
- Think you have a whistleblower claim?
- Contact us for a confidential consultation.