A recently settled case brought by the US financial regulator serves as a timely reminder that companies must have robust disclosure rules in place in order to deal with cyber-security incidents. In June the SEC announced a settlement with First American Financial, a provider of insurance settlement services, for ‘disclosure controls and procedures violations related to a cyber-security vulnerability that exposed sensitive customer information.’
The events that led to the charges began on May 24, 2019. A cybersecurity journalist got in touch with First American to let the company know he had discovered a weakness in a document-sharing application used by the company that meant 800 mn images had been exposed, according to the SEC order. These images included personal information such as social security and bank account numbers.
In response, First American published a press release on May 24 and a regulatory filing on May 28, notes the order, which included comments such as the company ‘has learned of a design defect in an application’ and there was ‘no preliminary indication of large-scale unauthorized access to customer information’.
At the time of these communications, however, the firm's senior executives hadn't been made aware that the internal IT team already knew about the vulnerability, alleges the SEC. In fact, the security issue had been identified months earlier but had not yet been fixed.
As with many cyber-security incidents, the details of the weakness are rather mundane. Users of the application would receive a link to document images, details the SEC order. The links were generated with sequential numbers, meaning it was easy for anyone to change the digits in the URL and access other documents without permission.
‘As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,’ says Kristina Littman, cyber-unit chief at the SEC’s Division of Enforcement, in a statement. ‘Issuers must ensure information important to investors is reported up the corporate ladder to those responsible for disclosures.’
First American did not admit or deny the SEC’s findings and agreed to pay a $487,616 fine. ‘We’re pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements,’ it says in a statement.
Sidley Austin, the US law firm, says the settlement offers useful takeaways for public companies to help them abide by the SEC’s cyber-security guidance. First, make sure there are policies and procedures in place so information about risks and incidents ‘is communicated to the appropriate disclosure personnel,’ says the firm in an update posted on its website.
Second, ensure information security officers are trained to follow correct disclosure policies and procedures. The SEC order says information officers at First American had knowledge of the vulnerability but did not pass it on to the executives responsible for the public statements.
Third, make sure information security policies are properly implemented and maintained. In the case of First American, the vulnerability was not addressed as quickly as it should have been under the company’s own guidelines, according to the SEC order.
The growing importance of digital technology to all sectors, coupled with a constant flow of cyber-attacks, have pushed cyber-security to the top of boardroom agendas. The Covid-19 pandemic, which forced companies to adopt remote working – and in many cases rely on their employees’ personal computers – highlighted further the need for enhanced IT controls.
Indeed, a recent study indicates growing anxiety among executives over cyber-security. PwC’s 2021 CEO survey, which polled 5,050 business leaders around the world, finds cyber-threats are viewed as the second-biggest concern for businesses, up from fourth in the previous year’s research. Only pandemics and health crises are considered a greater threat to a company’s fortunes.
US issuers should have more information about the SEC’s approach to cyber-security incidents soon: the regulator has said it is reviewing its guidance and plans to update the market by October 2021. But how to respond to these events is undoubtedly a major concern for all public companies today.
This article was originally published in the Fall 2021 issue of IR Magazine. Click here to access the magazine.