Paul Ferrillo is partner at Seyfarth Shaw LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a Professor at Minnesota State University.
The Securities and Exchange Commission’s (the “SEC”) very recent settled enforcement action against First American Financial Corporation (“FAF”), with an agreed-upon cease and desist order and a monetary penalty of almost $500,000 reaffirmed what we have been preaching —when it comes to the cybersecurity disclosures of public companies, the SEC is watching closely for compliance both under applicable disclosure law (the Securities and Exchange Act of 1934) and under its 2018 Cybersecurity Guidance, which was issued in the wake of two noteworthy breaches, Yahoo and Equifax.
More directive cyber risk disclosure requirements are likely coming from the SEC this fall. And while cyber risk disclosure isn’t a “get out of jail free” card in the event of litigation, timely and accurate disclosure can significantly reduce a company’s exposure to litigation risk.
That the SEC was already “watching” in regard to cyber risk disclosure should be no surprise to registrants as the SEC first issued cybersecurity guidance in 2011. While no disclosure requirements at that time explicitly referred to cybersecurity risks and cyber incidents, the SEC’s 2011 Guidance clarified that companies may nevertheless be obliged to disclose “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” The SEC subsequently issued its 2018 Guidance to summarize the guidelines concerning cybersecurity disclosure requirements, to reinforce and expand upon the 2011 Guidance, and to address three topics not previously addressed: (1) the significance of cybersecurity risk management procedures and policies, (2) board oversight of cybersecurity, and (3) insider trading restrictions concerning cybersecurity.
This coupled with the creation of a specialized SEC cyber enforcement unit in 2017 along with certain cybersecurity-related statements by then SEC Chair Jay Clayton [1], one had to assume that a fine or penalty like FAF was increasingly likely. Another key indicator of future SEC activity has to also be the increase in high-profile cybersecurity attacks that not only threaten the nation’s critical infrastructure, but also key software supply chain corporations like Solarwinds. [2] Targeting and exploiting systemic weaknesses and the ongoing wave of systemic threats and breaches has introduced a new a major escalation in cyber warfare that affects both the government and corporate America alike.
The American cyber ecosystem is ablaze with activity, and most of it is not related to good news. Companies should be thinking about their cybersecurity disclosures to not only reduce litigation risk, but to reduce the real levels of business-related cyber risk facing their companies.
Below, we first discuss the SEC’s 2018 guidance. Then we discuss the facts of FAF which gave rise to the enforcement proceeding and penalty. Finally, we discuss what we think corporate disclosure should look like, from periodic reports until the day comes when the company has to disclose that it has been breached.
The 2018 SEC Cybersecurity Disclosure Guidance
The 2018 SEC Cyber Guidance [3] addressed several critical points focused on the disclosure practices of public companies with respect to cybersecurity risk, cybersecurity disclosure and board oversight. The Commission stated their objectives clearly by saying “…it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” [p. 4] (emphasis added). The guidance also specifically addresses insider trading related to significant cybersecurity incidents and the need for policies and procedures to prevent acting on non-public information regarding the breach.
The Commission further stated that the key to these objectives is the “…development of effective disclosure controls and procedures…” [p. 5]. And they call out the need for directors to be properly informed about the “…cybersecurity risks and incidents that the company has faced or is likely to face.” The factual and forward-looking anticipatory nature of this expectation is a noteworthy expectation that places a challenging burden on companies and their corporate directors.
In addressing materiality, the Commission notes “In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” [4]
Perhaps foretelling to the events of SolarWinds in December 2020, this far-reaching materiality statement identifies several unique aspects of cybersecurity related to systemic risk. This is especially true when it comes to companies and their connected partners, customers, and broader supply chain. The “range of harm” statement specifically addresses the interconnected nature of digital business systems and the systemic risk inherent therein. In this context, a systemic risk can start in one part of a connected business system and then spreads and threatens the larger connected system, even moving between companies or streams of commerce, e.g. the oil and gas pipeline industry. As businesses of all sizes have undergone digital transformation to leverage the benefits of a “digital operating system,” every digital business system is now subject to this type of inherent systemic risk. Implicitly, the 2018 Cyber guidance acknowledges the compound range of impacts that a cybersecurity incident can have from regulatory fines, reputational impact to financial impact.
Cyber risk materiality requires an understanding and quantification of the financial impacts of cyber risk as an existing expectation under the 2018 SEC Guidance. Cyber insurance only transfers a small fraction of the economic impacts of cyber risk and the self-insurance exposure that companies carry requires adequate quantification and disclosure. However, most companies and boards are deficient in quantifying the economic impacts of cyber risk, making meaningful disclosure impossible.
The 2018 SEC Cyber guidance also addresses incident escalation through effective disclosure controls and guidance and the board’s role in overseeing cybersecurity risk. They note, “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk. In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
We focus here on escalation and board oversight since they are linked and since that was the focus of attention of the SEC in FAF. It is our view that without proper escalation the entire system breaks down, a systemic risk in action. Without proper escalation procedures to senior management and ultimately the board, there is little chance that a board of directors will fully understand cybersecurity risk and its widespread implications. And without proper escalation there also is little chance that the board will be able to fulfill its oversight fiduciary duties over cybersecurity since it will be lacking critical information concerning the company’s cybersecurity posture, and in FAF, critical information concerning the data breach and massive exposure of information.
The Facts of FAF
FAF is a very large financial services company that has a large title insurance division (hereinafter the “Title Company”) that does tens of thousands of transactions a year and thus collects millions of pieces of information a year. On or about May 24, 2019, cyber investigation journalist Brian Krebs notified the Title Company [5] that its internet-facing, web enabled application for the sharing of document images had a vulnerability that potentially exposed more than 800 million real estate and title documents to the public, including images containing sensitive personal information like social security numbers and personal financial information. See Press Release, SEC Charges Issuer With Cybersecurity Disclosure Controls Failures [6].
The company shortly thereafter issued a press release and disclosure to the SEC through Form 8-K. However, unbeknownst to both the board and senior management who were responsible for the Form 8-K disclosure, the vulnerability, which dated back to 2014, was discovered by senior IT management in December 2018 and early 2019 in a security assessment report, when it then was classified as “serious.” But it was never remedied until Brian Krebs notified them of the problem in May 2019. Based upon these facts and others concerning the severity of the data exposure, the SEC noted in the consent order:
Accordingly, the senior executives responsible for the company’s statements in May 2019, did not evaluate whether to disclose the company’s prior awareness of, or actions related to the vulnerability. Because these senior executives were not aware of the January 2019 Report, these senior executives did not know about the vulnerability described in the January 2019 Report. Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months. Indeed, subsequent to the furnishing of the May 28, 2019, Form 8-K, the company’s information security personnel determined that the vulnerability had in fact existed since 2014. These senior executives thus lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk from the EaglePro vulnerability at the time they approved the company’s disclosures.
As discussed above, the company’s business includes providing services involving data related to real estate transactions. Nevertheless, as of May 24, 2019, First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.
As a result of the conduct described above, First American violated Exchange Act Rule 13a-15(a) [17 C.F.R. § 240.13a-15], which requires every issuer of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.
See SEC Cease and Desist Order in FAF [7] . In the accompanying press release, the SEC noted: “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” (emphasis added).
Unpacking the 2018 SEC Cybersecurity Guidance and First American
When you add together the 2018 SEC Commissioners’ Cyber Guidance, along with the SEC’s first ever finding of a disclosure control violation in FAF relating to cybersecurity risks, there is a lot to unpack. We divide and conquer by looking at the cybersecurity disclosure issues from both their pre-breach aspects (their periodic reporting aspects in SEC Form 10-K’s and 10-Q’s) and from their breach and post-breach aspects (like in First American).
Here is our non-exclusive list of comments on how to proceed so that when the SEC examines cybersecurity disclosures post-breach they will see that the company and board fulfilled the disclosure requirements and expectations surrounding the material cybersecurity risks facing the company.
The Basics: Cybersecurity Risk is Growing in Materiality—Disclose, Disclose, Disclose
The SEC’s 2011 guidance, [8] was issued by the SEC’s Division of Corporate Finance and was their first attempt to define the contours of when and what sort of risk disclosure should be issued by registrants to advise investors of a company’s cybersecurity risk profile. The 2011 guidance addressed the impact of cybersecurity incidents in meaningful detail in order for registrants to understand why cybersecurity risk is material.
The SEC noted that “Registrants that fall victim to successful cyber-attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to: 1) Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused, 2) Increased cybersecurity protection costs, 3) Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; 4) Litigation; and 5) Reputational damage adversely affecting customer or investor confidence.”
In the 2011 Guidance, the SEC also defined the far-reaching business impacts of cybersecurity risk along with its pre- and post-breach costs. It noted that:
Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period.
- Description of relevant insurance coverage.
We think the essence of what the SEC is trying to say (rather clairvoyantly in 2011, years before cybersecurity became the titanic issue it is today [9]) was that there are plenty of reasons why cybersecurity presents a material risk to the company. The goings-on in the cybersecurity ecosystem today only confirm this view. [10] Useful contemporaneous disclosure pursuant to the 2011 guidance needs work in several key areas.
First, with regard to systemic risk. The systemic risks that your company’s complex digital business system introduces to others, and that your company inherits from others requires much more attention to first understand it, and then to disclose its potential materiality. Third-party risk is a large part of systemic risk, but so is the inherent level of systemic risk that exists throughout every digital business system. Equifax and other systemic failures relate to internal systemic risks and breakdowns, they weren’t inherited third-party vulnerabilities.
Attackers have figured out that systemic breakdowns can cause large scale shutdowns such as with Colonial Pipeline, a material event. They are actively targeting and exploiting these risks. Their impacts are growing in materiality and they extend well into connected ecosystems.
Senior Management and Board Oversight of Cybersecurity is Critical
Notably, in their 2018 guidance, the SEC also acknowledged the connection between the board’s role in risk management and cybersecurity risk saying, “To the extent cybersecurity risks are material to a company’s business, we believe this discussion [under item 407(h) of Regulation S-K and Item 7 of Schedule 14A which requires a company to disclose the extent of its board of directors’ role in the risk oversight of the company] should include the nature of the board’s role in overseeing the management of that risk.”
They went on to say “In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
Breach and Post-Breach Disclosures—Escalation Matters… a lot!
This is where the rubber met the road in First American. The SEC made it clear in the Press Release and its Order that the information concerning the vulnerability and its recognition in December 2018 and January 2019 (and its failure to be remedied) was not known to senior management and the board until after the 8K was issued.
This is arguably not just a failure of the company’s disclosure controls (as the SEC noted) but also a failure of the basics of an incident response plan, and a crisis communication plan. Though the board does not need to know of every cybersecurity problem, the Title Company’s massive exposure of potentially millions of pieces of data to the public was something the Board needed to know about both to perform its oversight job as well as to review its public disclosures for accuracy. It was deprived of this opportunity, to the detriment of both themselves and the investing public. Knowing what is material and what is not in cyber risk is the foundation of boardroom and incident response and SEC disclosure. Cyber escalation policies requiring board notification and meaningful involvement are a critical part of every incident response and crisis communications plan and system.
In short, in 2018, and once again in 2021, the SEC made it clear that the buck stops with the corporate boardroom on cybersecurity risk and disclosure issues. Make sure investors have transparency into the coordination between the boardroom cybersecurity governance programs and management programs in your periodic disclosures.
Endnotes
1See Cybersecurity threats to corporate America are present now ‘more than ever,’ SEC chair says, available at SEC’s Jay Clayton on cybersecurity threats to corporate America (cnbc.com), (“Cyber risks have not gone away with the unfortunate, unforeseen risks we’ve faced with Covid and other uncertainties in our economy,” he said. “They’re still there, and they’re there more than ever.”).(go back)
2See “The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal”, available at What Is the SolarWinds Hack and Why Is It a Big Deal? (businessinsider.com)(go back)
3See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, or see 83 FR 8168-69.(go back)
4Ibid(go back)
5See First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records, available at First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records—Krebs on Security (“ The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser”).(go back)
6Press Release available at https://www.sec.gov/news/press-release/2021-102(go back)
7Order available at available at https://www.sec.gov/litigation/admin/2021/34-92176.pdf(go back)
8see The SEC’s Inaugural Guidance: CF Disclosure Guidance: Topic No. 2 (2011) (https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm)(go back)
9Biden: If U.S. has ‘real shooting war’ it could be result of cyber attacks, available at Biden: If U.S. has ‘real shooting war’ it could be result of cyber attacks | Reuters(go back)
10See e.g. The 10 Biggest Ransomware Attacks of 2021, available at The 10 Biggest Ransomware Attacks of 2021 | Touro College Illinois(go back)