July 24, 2021

Volume XI, Number 205

Advertisement

July 23, 2021

Subscribe to Latest Legal News and Analysis

July 22, 2021

Subscribe to Latest Legal News and Analysis

July 21, 2021

Subscribe to Latest Legal News and Analysis

Ensure Disclosure Controls and Procedures Address Cybersecurity

On June 15, 2021, the Securities and Exchange Commission (SEC) announced settled charges against real estate settlement services company First American Financial Corporation for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.  The SEC’s order charges First American with violating Rule 13a-15(a) of the Securities Exchange Act of 1934.  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.

Why We are Sending this Alert:  To remind issuers that they should ensure that their disclosure controls and procedures address cybersecurity and include elements intended to ensure that there is an analysis of potential disclosure obligations arising from cyberattacks and security breaches.

Details of SEC’s Order:  As reported by the SEC, on the morning of May 24, 2019, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.  In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019.  However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.

The order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies.  The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.

“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.  She also stated, “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures,” and “First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.”

Action Items:  The order is a reminder that issuers should ensure that their disclosure controls and procedures address cybersecurity and include elements intended to ensure that there is an analysis of potential disclosure obligations arising from cyberattacks and security breaches.  At a minimum, disclosure controls and procedures and related protocols should specifically provide that cybersecurity incidents are promptly escalated and investigated, and reported to senior management, and where appropriate, to the Board of Directors.

Issuers should also consider reviewing their compliance programs to address the potential applicability of restrictions against trading while in possession of material, nonpublic information in connection with a cyberattack or security breach.

© 2021 Foley & Lardner LLPNational Law Review, Volume XI, Number 167
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Peter D. Fetzer, Securities Lawyer, Foley Lardner, Mergers Attorney
Partner

Peter Fetzer is a partner and business lawyer with Foley & Lardner LLP. His practice focuses primarily in the areas of securities regulation, mergers and acquisitions, corporate governance and general corporate counseling to mutual funds, exchange traded funds, publicly traded investment advisers and public companies.

414.297.5596
Stuart E. Fross, Foley Lardner, Securities lawyer, Finance Attorney
Partner

Stuart Fross is a partner and business lawyer with Foley & Lardner LLP where he concentrates his practice on securities laws and regulations, as part of the Private Equity & Venture Capital, Transactional & Securities and International Practices.

Mr. Fross’ main focus is investment managers and pooled investment vehicles, including U.S. registered open-end, closed end and exchange traded funds, bank collective investment funds (with an emphasis a stable value funds), UCITS funds, as well as private funds, organized in the US and...

617-50-3382
Stephen M. Meli Business Attorney Foley & Lardner Boston, MA
Partner

Stephen M. Meli is a partner and business lawyer with Foley & Lardner LLP. Steve is based in the firm’s Boston office where he is a member of the Transactions Practice and focuses on fund formation, emerging and spin-out fund sponsors and institutional investor representation.

Fund Formation Experience

Steve focuses his practice on lower and middle market buyout, venture capital, growth equity, credit and similar private funds, including funds-of-funds and secondary funds.

With an emphasis on commercial sense and practicality, Steve advises sponsors on every...

617-226-3107
Margaret Nelson Financial Attorney Foley & Lardner
Of Counsel

Margaret Gembala Nelson is of counsel with Foley & Lardner LLP, where she represents accounting firms, financial service entities, corporations and their professionals in auditor liability matters, government enforcement investigations and examinations, and complex securities and business litigation. She also conducts internal investigations on behalf of clients and advises on regulatory compliance and risk management issues.

Margaret has more than 15 years of experience as a regulatory and litigation lawyer focusing on complex securities, accounting, compliance, and commercial...

312.832.4376
Thomas J. Krysa Litigation Attorney Foley & Lardner Denver, CO
Partner

Thomas J. Krysa is a partner and litigation lawyer with Foley & Lardner LLP. Tom is based in the firm’s Denver office where he is a member of the Securities Enforcement & Litigation Practice. His practice focuses on advising clients in securities enforcement and litigation matters, government investigations, and complex commercial disputes. Tom, a former SEC senior officer and federal prosecutor, brings extensive government experience to the forefront to solve his clients’ problems short of government action, while at the same time preserving their interests should litigation and...

720-437-2010
Advertisement
Advertisement