On June 15, 2021, the SEC announced that that it had settled charges that a title insurance company’s cybersecurity disclosure controls and procedures violated the agency’s public company reporting requirements. The title insurance company, First American Financial Corp., which neither admitted or denied the charges, agreed to a cease-and-desist order and to pay a penalty. The charges do not represent the first time the SEC has pursued actions against a company for cybersecurity-related disclosures, but they do underscore the agency’s focus on cybersecurity disclosure-related issues, a topic that may be a source of increased focus ahead.

 

The SEC’s June 15, 2021 press release about the charges can be found here. The cease-and-desist order can be found here. The company’s June 15, 2021 filing on form 8-K about the charges and their resolution can be found here.

 

Background

First American is a title insurance company that also provides escrow and other closing services in connection with real estate transactions. The company maintained a document sharing application known as “Eagle Pro.” The application permitted the company to share documents in connection with title and escrow transactions.

 

On May 24, 2019, a cybersecurity journalist contacted First American to notify the company that its Eagle Pro application had a vulnerability exposing over 800 million title and escrow documents. (For further detail about the journalist’s report and about the vulnerability, refer here.) In response, First American issued a statement that the journalist included verbatim in his May 24, 2019 article about the vulnerability. On the next business day, May 28, 2019, the company submitted a filing on SEC Form 8-K which included the company’s May 24, 2019 statement.

 

Unknown to the company executives responsible for the press release and SEC filing, the Eagle Pro vulnerability had first been identified by First American information security personnel in January 2019. The vulnerability was described in a January 2019 report that was provided to security and IT managers at the time, but not to senior company management. Though the vulnerability had been identified internally in January 2019, it had not yet been remediated by the time of the May 2019 contact from the journalist.

 

The Charges and the Cease-and-Desist Order

In a June 14, 2021 order instituting cease and desist proceedings against First American, the SEC alleged that the senior company personnel responsible for the press release and SEC filing “were not apprised of” the prior identification of the vulnerability or that it had not been remediated.” This information, the order asserts, “would have been relevant to management’s assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.”

 

The order charges that the company “did not maintain disclosure controls and procedures designed to ensure that senior management had this relevant information about the January 2019 [vulnerability report] prior to issuing the company’s disclosures about the vulnerability.” The order charged further that as of May 24, 2019, First American “did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches.”

 

Based on these allegations, the SEC alleged that the company had violated Rule 13a-15(a) of under the Exchange Act of 1934, which, the agency asserted, requires “every issuer of a security registered pursuant to Section 12 of the Exchange Act” to “maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified by the Commission’s rules and forms.”

 

The order states further that, in anticipation of the cease and desist proceedings, the company had submitted an offer of settlement, which the agency had accepted. Without admitting or denying any of the agency’s charges (other than with respect to the agency’s jurisdiction), the company consented to the entry of an order finding a violation of the cited Rule. The order requires the company to pay a civil penalty of $487,616 and to cease and desist from further violations of the Rule.

 

Discussion

This proceeding is not the first SEC action against a company based on cybersecurity-related disclosure issues. For example, as discussed here, in April 2018, the SEC agreed with Altaba, Yahoo’s successor in interest, to settled charges related to disclosures surrounding Yahoo’s massive data breach.

 

But while this proceeding against First American is not the SEC’s first cybersecurity-related enforcement action, it does underscore that cybersecurity-related disclosure issues are an important agency priority and that the agency is prepared to take actions relating to cybersecurity disclosures.

 

Perhaps even more important here is nature of the agency’s charges against First American. The charges are not so much about the company’s cybersecurity disclosures as such; rather, there are more about the controls and procedures the company had in place to ensure that its cybersecurity disclosures were accurate and complete.

 

As the agency’s order highlighted, as of the time of the May 2019 disclosures about the application vulnerability, the company “did not have disclosures controls and procedures in place related to cybersecurity.” The agency’s observation about the company’s lack of cybersecurity disclosure controls and procedures is not just a commentary, it is the essence of the agency’s charges against the company.

 

The agency’s assertion that the failure to have cybersecurity disclosure controls and procedures in place represents a violation of the agency’s reporting rules is nothing short of a wake-up call to all reporting companies.

 

To put it another way, reporting companies that, like First American in May 2019, do not have cybersecurity disclosure controls and procedures in place are vulnerable to allegations that the companies are in violation of the SEC’s public company reporting requirements.

 

In other words, every company would be well advised to take steps to ensure that it has controls and procedures in place to ensure that the company’s cybersecurity disclosures meet the agency’s standards.

 

In thinking about what these controls and procedures might look like, it is worth considering what the SEC thought was the problem here. This company did not have a mechanism to ensure that cybersecurity incidents and vulnerabilities were reported up to senior management responsible for het company’s reporting and disclosures. So, at a minimum, a company interested in putting cybersecurity disclosure controls and procedures in place in order to try to ensure compliance with the SEC’s requirements will want to ensure that the company has  a mechanism in place to ensure that management personnel responsible for reporting and disclosures are apprised of cybersecurity incidents and vulnerabilities.

 

For those readers who have that vague feeling that somehow the circumstances in the case sound familiar, I note that the allegations presented in the agency’s order are also the subject of a securities class action lawsuit filed in October 2020 and described in a post a.n the time, here. The cease and desist order’s recitation that senior company management was not aware of the vulnerability or its non-remediation at the time of the May 2019 disclosures is not particularly helpful to the plaintiffs in the securities class action lawsuit.

 

Bloggers on Blogging: In a June 15, 2021 video post on the Zippy Point website (here) entitled “The Bloggers Roundtable: How to Blog,” several bloggers in the corporate and securities litigation arena — including me — share their thoughts on blogging and on maintaining a blog. The video was moderated by Broc Romanek of Zippy Point and formerly of TheCorporateCounsel.net blog. The other speakers included Steve Quinlivan of the Dodd Frank blog; Lyle Roberts of the 10b-5 Daily blog; and Francis Pileggi of the Delaware Corporate and Commercial Litigation blog. The video is short but I think you will find it interesting and perhaps even a little bit amusing. My thanks to Broc for inviting me to be a part of the video.