SEC charges settlement company with cybersecurity disclosure violations
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, an independent cybersecurity journalist warned the company in May 2019 of a vulnerability concerning its system for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, the company allegedly issued a press release for inclusion in the cybersecurity journalist’s report published in May 2019 and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, the company’s senior executives responsible for these kinds of releases “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” Specifically, the order states that senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier, in January 2019, but failed to remediate the vulnerability in accordance with the company’s policies. The order finds that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.” The SEC charged the company with violating Rule 13a-15(a) of the Exchange Act and ordered the company, who agreed to a cease-and-desist order, to pay a $487,616 penalty.