Once again, a “control failure” is a lever used by SEC Enforcement to bring charges against a company, this time for failure to timely disclose a cybersecurity vulnerability. Yesterday, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” This action follows charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. Companies may want to take note that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, making it worthwhile for companies to make sure that their controls are in good working order. Perhaps we should pirate the Matt Levine mantra, “everything is securities fraud” (see this PubCo post): how ’bout “everything is also a control failure”?
It’s worth noting here that prominently featured on the SEC’s Spring 2021 Reg-Flex Agenda are proposed rules regarding cybersecurity risk governance disclosure. Given the recent consternation over hacks and ransomware, it should come as no surprise that the SEC may propose rule amendments to enhance issuer disclosures regarding cybersecurity risk governance. The agenda identifies October 2021 as the target date for issuance of a proposal. (See this PubCo post.)
According to the SEC’s order, in May 2019, the company was advised by a journalist that its “EaglePro” application for sharing document images related to title and escrow transactions had a vulnerability that exposed “over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.” That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC. However, as it turns out, the company’s information security personnel had already identified the vulnerability in a report of a manual test of the EaglePro application about five months earlier, but failed to remediate it in accordance with the company’s policies. Importantly, for purposes of this case, they also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” The company was found to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars.
Of course that’s small potatoes compared to the $35 million penalty that the entity formerly known as Yahoo! Inc. agreed to pay in 2018 “to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.” That case also involved an allegation of defective disclosure controls. In its Order in that case, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers,” referred to internally as the company’s “crown jewels.” The Order charged that the company’s
“senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading….Furthermore, Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Yahoo did not maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings, including, but not limited to, in its risk factor disclosures or MD&A.”
In the Order, the SEC also found that, in September 2016, the company issued a press release disclosing the data breach and attached it as an exhibit to a Form 8-K. The day following the announcement, the company’s market cap fell nearly $1.3 billion. (see this PubCo post)
According to the SEC order in First American Financial, document images in the company’s repository that contained non-public personal information were supposed to be tagged with a security legend and transmitted only through secure packages that required password verification by the package recipient. But the tagging process was performed manually and, according to a 2018 internal analysis, tens of millions of document images were misclassified. In addition, a defect, which dated to 2014, allowed users to alter the digits in a URL to view other document images to which the user should not have had access. Moreover, some images transmitted through unsecure packages were stored on publicly available search engines. Interestingly, there’s no suggestion of a cyber attack or hack here; rather, the case involves flaws in the company’s application that left the data exposed.
The SEC alleged that, in a security assessment conducted in December 2018 and January 2019 and reflected in a subsequent report, information security personnel identified the vulnerability as a “serious” or level “3” vulnerability. Under the company’s vulnerability remediation management policies, a level 3 vulnerability was categorized as “medium risk” and required remediation within 45 days. However, as a result of a clerical error, the vulnerability was incorrectly input in the company’s tracking system as a level “2” or “low risk” vulnerability, requiring remediation within 90 days. But even that didn’t happen, nor was a waiver sought in accordance with company policies.
It wasn’t until the journalist notified IR personnel at the company of the leak that definitive action was taken, the SEC alleged. The company provided the following statement to the journalist for inclusion in the journalist’s published article, as well as to other national media outlets: “First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application.”
According to the order, the chief information security officer and the chief information officer learned about the vulnerability described in the report and the related failure of remediation only shortly after the journalist’s notification. Between the time of the journalist’s notification and the furnishing of the 8-K, both the CISO and CIO participated in numerous meetings with the CEO and CFO and other senior executives responsible for the company’s disclosures. However, according to the order, these senior executives “were not made aware about these facts” prior to the company’s release of its statement to the press or furnishing of the Form 8-K. As a result,
“the senior executives responsible for the company’s statements in May 2019, did not evaluate whether to disclose the company’s prior awareness of, or actions related to the vulnerability. Because these senior executives were not aware of the January 2019 Report, these senior executives did not know about the vulnerability described in the January 2019 Report. Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months. Indeed, subsequent to the furnishing of the May 28, 2019 Form 8-K, the company’s information security personnel determined that the vulnerability had in factexisted since 2014. These senior executives thus lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk from the EaglePro vulnerability at the time they approved the company’s disclosures.”
Notwithstanding the nature of its business in providing data, the order states, the company “did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.” Accordingly, the SEC found that the company violated Exchange Act Rule 13a-15(a), which requires public reporting companies to “maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.” The company was required to cease and desist and to pay a civil money penalty of $487,616.
The SEC’s 2018 guidance on cybersecurity disclosure addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The guidance notes that “cybersecurity incidents can result from unintentional events or deliberate attacks by insiders or third parties.” With regard to cybersecurity policies and controls and procedures, the SEC encouraged companies to adopt, and regularly assess compliance with, comprehensive policies and procedures related to cybersecurity, particularly disclosure controls and procedures. The guidance urged companies to assess whether their disclosure controls and procedures capture information about cybersecurity risks and incidents and ensure that it is reported up the corporate ladder to enable senior management to make decisions about whether disclosure is required and whether other actions should be taken. According to the guidance, “[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. The controls should also ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies.” In addition, given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers would need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents.
With regard to disclosure, the guidance explained that, although there are no disclosure requirements that specifically refer to cybersecurity risks and incidents, the obligation to disclose material cybersecurity risks and incidents would still arise, depending on a company’s particular circumstances, in the context of many required disclosure documents, including registration statements and periodic and current reports. For example, the SEC encouraged companies to use current reports on Form 8-K to promptly report the costs and other consequences of material cybersecurity incidents. And, under Rule 10b-5 and similar provisions, companies should consider whether their cybersecurity disclosures provide all material facts required to be stated therein or necessary to make the statements therein not misleading. Exchange listing standards also impose disclosure obligations.
In determining whether disclosure regarding cybersecurity risks and incidents is necessary, “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” But how is “materiality” assessed in the context of cybersecurity? The SEC noted that the Basic v. Levinson probability/magnitude test is still a relevant part of the analysis. The SEC also advised that “materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” In that regard, the SEC noted that compromised information “might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.” Materiality “also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” As always, the SEC cautioned companies to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” Although companies are expected to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences,” the SEC made clear that companies are not expected to provide detailed roadmaps or specific technical information about potential system vulnerabilities that would compromise a company’s security protections. (For more information about the SEC guidance, see this PubCo post and this Cooley Alert.)
In late 2018, as reported by the WSJ, then-Corp Fin Chief Accountant Kyle Moffatt, speaking at the FEI Current Financial Reporting Issues Conference, urged companies to align their disclosure practices with the SEC’s cybersecurity disclosure guidance, citing in particular the need to discuss board risk oversight, disclosure controls and procedures and insider trading policies in the context of cybersecurity. In addition, he advised that the “‘biggest key is making sure that there are procedures in place to make sure that the information is provided to all levels, all relevant levels, of management, so everyone is aware of what’s happened and so that those issues can be addressed.’”