A real estate settlement services provider settled SEC charges for inadequate disclosure controls and procedures related to cybersecurity vulnerabilities arising from the company's document-sharing application for title and escrow transactions.

In the Order, the SEC stated that the company's document-sharing application (i) contained a defect that enabled users to alter the digits in a certain document image's URL and view other documents to which they should not have had access and (ii) cached certain document images on publicly available search engines.

The SEC found that the company's information security personnel did not address or remediate the problem after learning of the vulnerability. The company's senior executives furnished a Form 8-K to the SEC, and made public statements disclosing the vulnerability, only after learning from a cybersecurity journalist that the company's document-sharing application potentially exposed over 800 million real estate transaction documents containing sensitive information.

As a result of its findings, the SEC determined that the company failed to maintain disclosure controls and procedures under SEA Rule 13a-15(a).

To settle the charges, the company agreed to (i) cease and desist from future violations and (ii) a $487,616 civil money penalty.

Commentary

This case is interesting in that the company was not charged for failing to protect customer information, making misleading statements, or failing to disclose the cybersecurity vulnerability. Instead, it was charged with not having sufficient disclosure controls related to cybersecurity - essentially for not making sure senior executives responsible for the company's disclosures knew about the company's previous knowledge of the vulnerability and the surrounding circumstances. This is an extension of what the SEC has previously done in this area against public companies (e.g., its case against Yahoo! for failing to disclose a material breach) and public companies should take notice. In particular, companies whose businesses deal with sensitive customer data would be well served to review their disclosure controls and make sure they have sufficient controls and procedures specifically related to cybersecurity disclosures, including incidents involving breaches or vulnerabilities of sensitive customer data.

Primary Sources

  1. SEC Press Release: SEC Charges Issuer with Cybersecurity Disclosure Controls Failures
  2. SEC Order: First American Financial Corporation

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.