- Related documents
- Amended complaint
- Motion to dismiss
(Reuters) - A $490,000 settlement this week between the Securities and Exchange Commission and the real estate title insurance company First American didn’t garner big headlines on the business pages. But several law firms are warning clients that the SEC’s case signals new cybersecurity disclosure risks for corporations.
The SEC’s case against First American did not allege the company was liable for securities fraud when it said in a press release and SEC filing in March 2019 that it had just learned of vulnerabilities in the company’s vast real estate data repository, which includes financial and other identifying information about buyers and sellers. According to the SEC, First American’s data security personnel were actually already aware by then that millions of non-public documents could be exposed by changing digits in URLs customers could access legitimately. The cybersecurity team had pinpointed the problem in January 2019 and had called for a fix to be adopted by May 2019.
But senior officials at the company, including the CEO, CIO and chief information security officer, did not know about the cybersecurity team’s findings, according to the SEC, until the company received a query from a cybersecurity journalist about leaks of data from its repository. (The SEC consent order does not name the journalist but it was Brian Krebs of KrebsOnSecurity.com.) Even as the company formulated its press release responding to Krebs and its subsequent SEC filing about the exposed data, top officials didn’t have all of the necessary information “to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk,” the SEC said.
Register now for FREE unlimited access to Reuters.com
That information vacuum, according to the SEC, was a violation of the disclosure provisions of the Exchange Act. “The company’s business includes providing services involving data related to real estate transactions,” the SEC said. “Nevertheless … First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.”
First American did not admit or deny the SEC’s findings. I emailed the company’s Gibson, Dunn & Crutcher lawyers from a shareholder class action stemming from the 2019 disclosures but they didn’t respond.
The SEC has brought a handful of other cybersecurity cases, including its $35 million settlement in 2018 to resolve allegations that Yahoo didn’t tell investors about a data breach. It has also warned companies in a 2018 report on corporations that were victims of cyber fraud that publicly-traded companies must adopt robust internal controls to detect cyber threats.
But the First American case seems to be the first instance of the SEC accusing a company of failing to have adequate reporting controls in place to ensure that senior officials are apprised of cybersecurity risk. Law firms including Wachtell, Lipton, Rosen & Katz; Davis Polk & Wardwell; and Clifford Chance are calling the settlement a warning to other companies.
“This (settlement) may signal increased enforcement focus on internal controls requirements, even in the absence of a disclosure violation or actual harm,” Davis Polk wrote in a client alert on Thursday. Wachtell’s June 17 missive called the SEC’s focus on the alleged inadequacy of First American’s internal reporting on cyber risk “a new angle,” and reminded clients that controls are especially crucial when companies are crafting disclosures in response to crises, including cyber incidents.
The securities litigation blogger Kevin LaCroix at D&O Diary called the SEC’s First American settlement “nothing short of a wake-up call to all reporting companies.”
Interestingly, the settlement seems to have been a disappointment for lead counsel in the related shareholder class action against First American, which is before U.S. District Judge Dale Fischer in Los Angeles. Pomerantz filed its amended complaint in the case in March, alleging that the company fraudulently misrepresented the security of its data repository in numerous public filings between 2017 and 2020. First American’s lawyers from Gibson Dunn moved to dismiss the class action in May. Their chief argument: First American never told investors that it was invulnerable to a cybersecurity incident but merely said it was committed to cybersecurity – and certainly had no fraudulent intent when it made those statements.
The SEC settlement probably won’t help the plaintiffs’ fraud case. The commission concluded, after all, that senior officials were not aware that the company’s data security personnel had identified a way to access private information in the First American repository without authorization. According to the SEC, in other words, the corporate officials who were responsible for First American’s public disclosures did not know those disclosures contradicted the findings of the company’s lower-level data team.
As I mentioned, First American’s lawyers in the class action didn’t respond to my query. But plaintiffs' lawyer Joshua Silverman of Pomerantz said in an email that the SEC settlement was a “slap on the wrist,” adding, “The SEC easily could have charged First American with Section 10(b) violations had it chosen to.” (The SEC was closed for the Juneteenth holiday and not available to comment.)
Silverman said the settlement does validate shareholders’ assertion that the company made false disclosures. He said it will otherwise “have little impact” on shareholders’ case.
(Reporting by Alison Frankel)
Opinions expressed here are those of the author. Reuters News, under the Trust Principles, is committed to integrity, independence and freedom from bias.
Register now for FREE unlimited access to Reuters.com
Our Standards: The Thomson Reuters Trust Principles.
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias.