Once again, a “control failure” is a lever used by SEC Enforcement to bring charges against a company, this time for failure to timely disclose a cybersecurity vulnerability. Yesterday, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” This action follows charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. Companies may want to take note that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, making it worthwhile for companies to make sure that their controls are in good working order. Perhaps we should pirate the Matt Levine mantra, “everything is securities fraud” (see this PubCo post): how ’bout “everything is also a control failure”?
According to the SEC’s order, in May 2019, the company was advised by a journalist that its “EaglePro” application for sharing document images related to title and escrow transactions had a vulnerability that exposed “over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.” That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC. However, as it turns out, the company’s information security personnel had already identified the vulnerability in a report of a manual test of the EaglePro application about five months earlier, but failed to remediate it in accordance with the company’s policies. Importantly, for purposes of this case, they also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” The company was found to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars.
According to the SEC order in First American Financial, document images in the company’s repository that contained non-public personal information were supposed to be tagged with a security legend and transmitted only through secure packages that required password verification by the package recipient. But the tagging process was performed manually and, according to a 2018 internal analysis, tens of millions of document images were misclassified. In addition, a defect, which dated to 2014, allowed users to alter the digits in a URL to view other document images to which the user should not have had access. Moreover, some images transmitted through unsecure packages were stored on publicly available search engines. Interestingly, there’s no suggestion of a cyber attack or hack here; rather, the case involves flaws in the company’s application that left the data exposed.
The SEC alleged that, in a security assessment conducted in December 2018 and January 2019 and reflected in a subsequent report, information security personnel identified the vulnerability as a “serious” or level “3” vulnerability. Under the company’s vulnerability remediation management policies, a level 3 vulnerability was categorized as “medium risk” and required remediation within 45 days. However, as a result of a clerical error, the vulnerability was incorrectly input in the company’s tracking system as a level “2” or “low risk” vulnerability, requiring remediation within 90 days. But even that didn’t happen, nor was a waiver sought in accordance with company policies.
It wasn’t until the journalist notified IR personnel at the company of the leak that definitive action was taken, the SEC alleged. The company provided the following statement to the journalist for inclusion in the journalist’s published article, as well as to other national media outlets: “First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application.”
According to the order, the chief information security officer and the chief information officer learned about the vulnerability described in the report and the related failure of remediation only shortly after the journalist’s notification. Between the time of the journalist’s notification and the furnishing of the 8-K, both the CISO and CIO participated in numerous meetings with the CEO and CFO and other senior executives responsible for the company’s disclosures. However, according to the order, these senior executives “were not made aware about these facts” prior to the company’s release of its statement to the press or furnishing of the Form 8-K. As a result,
“the senior executives responsible for the company’s statements in May 2019, did not evaluate whether to disclose the company’s prior awareness of, or actions related to the vulnerability. Because these senior executives were not aware of the January 2019 Report, these senior executives did not know about the vulnerability described in the January 2019 Report. Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months. Indeed, subsequent to the furnishing of the May 28, 2019 Form 8-K, the company’s information security personnel determined that the vulnerability had in fact
existed since 2014. These senior executives thus lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk from the EaglePro vulnerability at the time they approved the company’s disclosures.”
Notwithstanding the nature of its business in providing data, the order states, the company “did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.” Accordingly, the SEC found that the company violated Exchange Act Rule 13a-15(a), which requires public reporting companies to “maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.” The company was required to cease and desist and to pay a civil money penalty of $487,616.