The SEC has settled an enforcement action against a large title insurer in connection with public statements and disclosures made by the company in May 2019 relating to a data security incident. The underlying data security incident was the subject of the first set of charges brought by the New York Division of Financial Services (NYDFS) under its cybersecurity regulations in 2020, and involved an application vulnerability that allegedly exposed sensitive personal information dating back to 2003 and was first publicly reported in May 2019 by the media. The SEC’s settlement order relates to the issuer’s handling of its disclosures of the incident under federal securities laws, rather than the underlying vulnerabilities alleged by the NYDFS against the NYDFS-regulated covered entity in its charges under state financial regulations. The SEC imposed a fine of approximately $487,000 for violations of Rule 13a-15(a). The NYDFS has scheduled a hearing for August 16, 2021 regarding its original statement of charges, which the company has said it is fighting.
The SEC order alleged disclosure controls and procedures violations under Rule 13a-15(a), which requires every issuer of a security registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer is “recorded, processed, summarized, and reported” within the requisite time periods. Here, the Commission alleged that the company “did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of data.”
As evidence of the violations, the SEC seized on statements made by the company to the press on May 24, 2019 and in its Form 8-K on May 28, 2019. In these disclosures regarding the data security incident, the company stated that it “took immediate action to address the situation and shut down external access to the application” and that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.” According to the order, the company’s senior executives who were responsible for the press statement and Form 8-K were not aware of certain information prior to making these public statements. The order describes information of which the company’s information security personnel, including its CISO and CIO, were aware—including that the vulnerability at issue in the data security incident had been previously identified in January 2019 and was not timely remediated—but that the executives responsible for disclosures were not aware of these facts prior to making statements to the press or furnishing a Form 8-K to the SEC.
The order also is noteworthy for what the SEC did not allege. For example, the enforcement action was styled as disclosure controls violations rather than more serious violations associated with false or misleading statements. In addition, the SEC took no position on the timing of the disclosure. Instead, the crux of the violation is that although information security personnel were aware that the vulnerability had been identified in January 2019, this information did not flow up to senior management prior to issuing the company’s disclosures. The order characterizes the information known to the CIO and CISO at the time as “relevant to management’s assessment” of the vulnerability, the company’s disclosures in response, and the magnitude of the resulting risk.”
By bringing the action under Section 12, the SEC has signaled its continued attention to the quality of disclosures and adequacy of disclosure controls with respect to issuers, consistent with its 2018 guidance regarding the importance of maintaining “disclosure controls and procedures that provide an appropriate method of discerning the impact that [cybersecurity] matters may have on the company…as well as a protocol to determine the potential materiality of such risks and incidents.” The settlement order was announced days after the SEC released its agenda for upcoming rulemaking, which has scheduled a cybersecurity risk governance proposed rule release for October 2021.
There are several steps companies can take in response to the order. First, companies may wish to review the adequacy of their disclosure controls and procedures as well as their incident response plans. For example, companies may wish to update long-standing corporate governance policies and procedures to ensure they explicitly include cybersecurity risk considerations. Second, companies may wish to ensure they are prepared to take a cross-functional approach to incident response as appropriate to the type and scale of incident so that legal, compliance, communications, and information security all work together in a coordinated fashion. In addition to this interdisciplinary approach, it may be useful to include decision points for communications to senior management, the Board, and any third parties in incident response plans at appropriate intervals.