On June 15, 2021, the SEC announced a settled enforcement action against First American Financial Corporation that demonstrates the increasing importance of data security and the disclosure controls and procedures required of public companies. 

According to the SEC’s Order, First American had an application called “EaglePro” used for sharing financial documents in connection with real estate transactions. On May 24, 2019, a cybersecurity journalist contacted First American and told the Company that EaglePro had a vulnerability that exposed as many as 800 million documents, dating back to 2003, some of which included social security numbers and personal financial information. First American shut down access to EaglePro, provided a quote for inclusion in the journalist’s article published that same day, and issued an 8-K report with additional information on May 28, 2019.

At first glance, it appears First American acted correctly. However, the SEC’s Order says that First American’s personnel had discovered the vulnerability four months earlier, in January 2019. The Company’s Chief Information Security Officer and Chief Information Officer were not told about the earlier discovery until May 24, after the Company was contacted by the journalist. Even worse, the First American executives responsible for the Company’s SEC disclosures were not told of the earlier discovery until after the 8-K was filed on May 28, 2019. That left those officers without the information necessary to fully evaluate the Company’s data security responsiveness and the magnitude of the risk at the time they approved the disclosures.  The settlement included a cease and desist order against First American and a civil penalty of $487,616 for failure to disclose this vulnerability.

From a securities disclosure perspective, this enforcement action points out the importance of having effective disclosure controls and procedures that ensure the persons responsible for the Company’s public disclosures have all the information necessary to make accurate and complete public disclosures. This should include policies and procedures designed to make sure that information makes its way up the chain to the persons responsible for disclosure decisions in a consistent and timely manner.

From a data privacy perspective, this enforcement action points out the importance of making sure that an issuer has a compliance program that aligns with Exchange Act Rule 13a-15(a), which requires public reporting companies to “maintain disclosure controls and procedures designed to ensure that information, required to be disclosed by an issuer in reports or files it submits under the Exchange Act, is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.” Even though there are not yet any specific requirements to make cybersecurity disclosures, the SEC has made it clear that it considers information about cybersecurity vulnerabilities to be material information about the company’s financial stability, and therefore subject to disclosure.

For example, in 2018, the SEC issued guidance on cybersecurity disclosure, controls and procedures to enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. In addition, given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers would need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents.

Michael Best has attorneys specializing in public company disclosures and in data privacy and cybersecurity. If you would like help with Exchange Act compliance and/or creation of disclosure policies and procedures, please contact one of the Michael Best attorneys identified below.