Eliminate Barriers To Employee Disclosure Of Cyber Vulnerabilities

The U.S. Securities and Exchange Commission (SEC) recently announced civil monetary penalties and a cease-and-desist order against First American Financial Corporation (FAFC) for deficient disclosure controls and procedures related to cybersecurity risks.

FAFC provides title insurance policies for residential and commercial real estate and closing and escrow services. On May 24, 2019, a cybersecurity journalist notified the organization that "its web application for sharing document images related to title and escrow transactions had a cybersecurity vulnerability that exposed sensitive personal information from more than 800 million documents from real estate transactions, including bank account numbers, mortgage and tax records, Social Security numbers, wire transactions receipts and drivers' licenses images."

The journalist published the discovery after FAFC shut down external access to the web application.

On May 28, 2019, FAFC filed a Form 8-K and press release with the SEC about the vulnerability. However, the senior executives who filed the information did not know that FAFC information security personnel had known about the vulnerability for months and failed to remedy the issue or communicate it to senior information security management.

In addition, the FAFC's chief information security officer and chief information officer had subsequently learned that information security personnel knew about the vulnerability but did not tell FAFC's senior executives responsible for the Form 8-K disclosure.

The SEC determined that FAFC violated Rule 13a-15(a) of the Securities Exchange Act of 1934 by failing to maintain disclosure controls and procedures to ensure the timely and accurate reporting of required information to the SEC. The chief of the SEC Enforcement Division's Cyber Unit stated that insurers "must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures."

Although the SEC has warned of possible action for nearly a decade, this enforcement action is the first finding of a violation under Rule 13a-15(a) with respect to cybersecurity risk disclosure controls and procedures. In 2018, the SEC updated its initial 2011 guidance to stress "'the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents' in order to ensure that relevant information about cybersecurity risks and incidents is processed and reported up the corporate ladder to enable senior management to make accurate disclosures and related certifications."

The SEC announced a settlement with FAFC on June 15, 2021, requiring the organization to pay a civil penalty of $487,616 and comply with a cease-and-desist order.

In addition, the New York State Department of Financial Services (NYSDFS) issued the first charges ever for violating its Cybersecurity Regulations against FAFC on July 22, 2020. Each instance of nonpublic information in the 800 million exposed documents carries a penalty of up to $1,000.

The NYSDFS action contributed to a shareholders' derivative suit against FAFC and its board of directors. FAFC also reportedly faces several consumer class-action lawsuits. Shardul Desai and Ira Rosner "SEC Issues First-Even Penalties for Deficient Cybersecurity Risk Controls" jdsupra.com (Jun. 23, 2021).

Commentary

FAFC’s violations stemmed from a lack of reporting policies requiring immediate sharing of information vulnerability information with executives, who had a duty to report cyber vulnerabilities and data breaches. Public companies, like FAFC, must immediately report cybersecurity vulnerabilities or incidents to the SEC, which requires those responsible for submitting SEC reports to be informed.

Even if your organization is not subject to SEC regulations, it is essential that all employees understand the importance of reporting cybersecurity issues to the designated individuals or department in your organization.

In the above matter, employees knew of the vulnerabilities, but kept quiet.

An employee who keeps silent about suspicious online activity or potentially sharing sensitive data with a cybercriminal out of fear opens the door to a serious data breach. Make it clear in your policies that failing to report a suspected cyber issue will lead to disciplinary action.

Your organization’s cyber risk plan must include internal audits, prevention policies and procedures, disclosure controls and procedures, and employee training.

Finally, your opinion is important to us. Please complete the opinion survey:

Download Video: MP4 WebM

Twitter