John F. Savarese, Wayne M. Carlin, and Sabastian V. Niles are partners at Wachtell, Lipton, Rosen & Katz. This post is based on their Wachtell memorandum.
In recent years, companies across a wide range of industries have wrestled with the challenge of making appropriate disclosures about cybersecurity risks and vulnerabilities. Earlier this week, an SEC enforcement action, In the Matter of First American Financial Corp. (June 14, 2021) (“FAFC”), shed important new light on these cyber disclosure issues. Importantly, the case did not involve a third-party attack or actual data breach. Rather, it arose from an existing weakness in FAFC’s systems, and centered on the company’s public statements when the vulnerability was publicized in a press report. The case charges that FAFC failed to maintain disclosure controls and procedures sufficient to ensure that all available relevant information concerning the problem was analyzed for inclusion in the company’s disclosures. The SEC has not previously employed this theory as the exclusive basis for a cyber-related enforcement action. FAFC settled without admitting or denying the SEC’s findings.
FAFC is a real estate settlement services provider. According to the SEC’s order, in mid-2019, a cybersecurity journalist contacted FAFC seeking comment on a story about a security vulnerability in one of the company’s web-based applications. FAFC provided a statement to the reporter and also released it to other media outlets, noting, among other things, that “security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information. The company took immediate action to address the situation . . . .” Shortly thereafter, FAFC filed a Form 8-K, in which it stated that it “shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data.”