SEC Settles Enforcement Action for Disclosure Controls Violations Stemming from Data Security Incident
Kate Hanniford writes:
The SEC has settled an enforcement action against a large title insurer in connection with public statements and disclosures made by the company in May 2019 relating to a data security incident. The underlying data security incident was the subject of the first set of charges brought by the New York Division of Financial Services (NYDFS) under its cybersecurity regulations in 2020, and involved an application vulnerability that allegedly exposed sensitive personal information dating back to 2003 and was first publicly reported in May 2019 by the media. The SEC’s settlement order relates to the issuer’s handling of its disclosures of the incident under federal securities laws, rather than the underlying vulnerabilities alleged by the NYDFS against the NYDFS-regulated covered entity in its charges under state financial regulations. The SEC imposed a fine of approximately $487,000 for violations of Rule 13a-15(a). The NYDFS has scheduled a hearing for August 16, 2021 regarding its original statement of charges, which the company has said it is fighting.
The SEC order alleged disclosure controls and procedures violations under Rule 13a-15(a), which requires every issuer of a security registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer is “recorded, processed, summarized, and reported” within the requisite time periods. Here, the Commission alleged that the company “did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of data.”
Read more on Privacy, Cyber & Data Strategy Log.