Cybersecurity Controls and Procedures: Lessons Learned from the SEC’s Latest Enforcement Action

Does your company have procedures in place to bring key cybersecurity information to your directors and officers in a timely manner? If the answer is no, then there are some lessons for you in the following Securities and Exchange Commission enforcement action against one of the leading providers of title insurance and settlement services.

SEC Enforcement Action Against First American

In June 2021, the SEC announced a nearly $500,000 penalty settlement with First American Financial Corporation for disclosure and procedure violations related to a cybersecurity event. According to the SEC’s announcement, First American senior executives were not aware of information that was relevant to the company's disclosures about a cyber incident that was discovered. As a result, their disclosure was deficient.

Specifically, the company officers weren’t informed that their information security personnel had “identified the [cyber] vulnerability several months earlier but had failed to remediate it in accordance with the company’s policies.”

The SEC found that “First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.”

According to the SEC, First American’s cyber vulnerability exposed more than 800 million images dating back to 2003, and those images contained sensitive personal data like social security numbers and financial information.

The SEC charged First American with violating Exchange Act Rule 13a-15(a), “which requires every issuer of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.”

Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and paid the penalty of $487,616.

The SEC Is Serious About Cyber Disclosure

The First American case is a clear message that public company cybersecurity controls and procedures are still very much a concern for the agency. Consider this enforcement action as the SEC’s way of reminding issuers of its 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

In that guidance, the SEC laid out guidelines for public companies to prepare disclosures about cybersecurity risks and incidents pursuant to the Securities Exchange Act of 1934.

The guidance states that “the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

Specifically, the SEC advises that internal corporate controls and procedures as it relates to cybersecurity should do the following:

Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

From the SEC’s perspective, a clear problem at First American was the failure to have in place a functioning reporting system that would have brought critical information to executives in a timely way.

The guidance goes on to say that “a company’s disclosure controls and procedures should not be limited to disclosure specifically required but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.”

Board Oversight of Cyber Risk

The SEC’s expectations for board oversight parallel the Delaware Court’s expectations for board oversight of critical risks as articulated in Marchand v. Barnhill aka the “Bluebell ice cream” case. As I discussed in an article on this topic, takeaways from that duty of oversight claim (aka Caremark claim) focused on the importance of procedures that bring key information to the board.

Neither the SEC nor the courts expect directors necessarily to be technical experts when it comes to cyber risk. But they—and shareholders—do expect boards to take a proactive approach when dealing with cyber risk. These steps include:

• Seeking proactively to understand a company’s specific areas of cyber risk;
• Requesting regular briefings on what management is doing to address cyber risk, including things like the roadmap management is following, periodic tabletop exercises and the like;
• Understanding the steps management has taken to ensure that cyber risk concerns and actual intrusion events are being reported to the correct people at the company in a timely way;
• Confirming that all disclosures made by the company are accurate, as well as that risk factors are adequately specific;
• Making a business decision about obtaining appropriate cyber insurance.

This last point can be especially challenging in an environment where the insurance products are both evolving and getting increasingly expensive. On this point, more companies are moving away from working with generalists and towards insurance brokers who are specialists when it comes to cyber insurance.

Another increasingly common practice is for boards to ask for a briefing on cyber insurance directly from these specialists. Doing so is both a way for a board to conduct appropriate due diligence as well as create a record (in the minutes) of having done so.