SEC Returns Spotlight to Cybersecurity Disclosure Enforcement
On June 15, the Securities and Exchange Commission announced a settlement with First American Financial Corporation for what the SEC found were inadequate disclosure controls and procedural violations, revealed in connection with a cyber incident last spring. Since the SEC published guidance in early 2018 regarding disclosure principles related to cybersecurity vulnerabilities, it appears to have taken care to be thoughtful in not second-guessing companies’ good faith decisions about whether and when to disclose such vulnerabilities, bringing charges only in two cases where disclosure lagged awareness of the vulnerability by approximately two years. In the First American matter, however, the gap between awareness and disclosure was less than 6 months, but the SEC still found that the company’s policies and procedures were inadequate.
The SEC’s order in First American is consistent with its published guidance and public statements by SEC officials, all of which emphasized the need for company employees with knowledge of security vulnerabilities to share that information with those responsible for making SEC disclosures.
In a related development, recently the SEC’s Enforcement Division sent information requests to what appears to be a wide range of companies asking about how they responded to a high-profile software vulnerability that came to light in late 2020 involving an information technology company. The information requests in this new Enforcement sweep also ask recipients to provide information about other compromises, including those that were not disclosed at the time.
With new Chair Gary Gensler now several months into establishing priorities at the SEC, it is possible that the First American settlement, in combination with the new Enforcement sweep, may signal the SEC Enforcement Division’s increasing scrutiny on cybersecurity disclosure policies and procedures.