Published on October 5th, 2021 📆 | 6946 Views ⚑
0Lessons from a cyber-security breach
A recently settled case brought by the US financial regulator serves as a timely reminder that companies must have robust disclosure rules in place in order to deal with cyber-security incidents. In June the SEC announced a settlement with First American Financial, a provider of insurance settlement services, for âdisclosure controls and procedures violations related to a cyber-security vulnerability that exposed sensitive customer information.â
The events that led to the charges began on May 24, 2019. A cybersecurity journalist got in touch with First American to let the company know he had discovered a weakness in a document-sharing application used by the company that meant 800 mn images had been exposed, according to the SEC order. These images included personal information such as social security and bank account numbers.
In response, First American published a press release on May 24 and a regulatory filing on May 28, notes the order, which included comments such as the company âhas learned of a design defect in an applicationâ and there was âno preliminary indication of large-scale unauthorized access to customer informationâ.
At the time of these communications, however, the firm's senior executives hadn't been made aware that the internal IT team already knew about the vulnerability, alleges the SEC. In fact, the security issue had been identified months earlier but had not yet been fixed.
As with many cyber-security incidents, the details of the weakness are rather mundane. Users of the application would receive a link to document images, details the SEC order. The links were generated with sequential numbers, meaning it was easy for anyone to change the digits in the URL and access other documents without permission.
âAs a result of First Americanâs deficient disclosure controls, senior management was completely unaware of this vulnerability and the companyâs failure to remediate it,â says Kristina Littman, cyber-unit chief at the SECâs Division of Enforcement, in a statement. âIssuers must ensure information important to investors is reported up the corporate ladder to those responsible for disclosures.â
First American did not admit or deny the SECâs findings and agreed to pay a $487,616 fine. âWeâre pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements,â it says in a statement.
Sidley Austin, the US law firm, says the settlement offers useful takeaways for public companies to help them abide by the SECâs cyber-security guidance. First, make sure there are policies and procedures in place so information about risks and incidents âis communicated to the appropriate disclosure personnel,â says the firm in an update posted on its website.
Second, ensure information security officers are trained to follow correct disclosure policies and procedures. The SEC order says information officers at First American had knowledge of the vulnerability but did not pass it on to the executives responsible for the public statements.
Third, make sure information security policies are properly implemented and maintained. In the case of First American, the vulnerability was not addressed as quickly as it should have been under the companyâs own guidelines, according to the SEC order.
The growing importance of digital technology to all sectors, coupled with a constant flow of cyber-attacks, have pushed cyber-security to the top of boardroom agendas. The Covid-19 pandemic, which forced companies to adopt remote working â and in many cases rely on their employeesâ personal computers â highlighted further the need for enhanced IT controls.
Indeed, a recent study indicates growing anxiety among executives over cyber-security. PwCâs 2021 CEO survey, which polled 5,050 business leaders around the world, finds cyber-threats are viewed as the second-biggest concern for businesses, up from fourth in the previous yearâs research. Only pandemics and health crises are considered a greater threat to a companyâs fortunes.
US issuers should have more information about the SECâs approach to cyber-security incidents soon: the regulator has said it is reviewing its guidance and plans to update the market by October 2021. But how to respond to these events is undoubtedly a major concern for all public companies today.
This article was originally published in the Fall 2021 issue of IR Magazine. Click here to access the magazine.
Gloss