“Tone at the Top” or “Talk to the Top”?
SEC Fines Company for Failing to Maintain Cybersecurity Disclosure Controls
The phrase “tone at the top” refers to the commitment of a company’s board of directors and senior management team to internal controls and ethics. If a company’s directors and management team proactively support strong corporate values and an ethical cultural environment, the phrase implies that this tone will trickle down to the company’s middle management and front-line workers. Communication is, however, a two-way street. Information also needs to trickle up to directors and senior management.
One June 15, 2021, the Securities and Exchange Commission (SEC) announced that it had settled charges against First American Financial Corporation (First American), a real estate settlement services company, for certain disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information. This case highlights the importance of ensuring that cybersecurity issues are reported up the corporate ladder to your company’s board of directors and senior management.
What Happened?
The SEC order indicates that a cybersecurity journalist notified First American on the morning of May 24, 2019 of a vulnerability in the company’s proprietary EaglePro application. This application is used to transmit images of certain title and escrow related documents to First American customers. In response, First American issued a press statement on the evening of May 24, 2019 and furnished a Form 8-K to the SEC on May 28, 2019. A new press release attached to the Form 8-K stated that there was “[n]o preliminary indication of large-scale unauthorized access to customer information” due to the vulnerability.
The information reported in the company’s initial press release and in its Form 8-K and attached press release was not accurate. The vulnerability in the EaglePro application had exposed over 800 million images dating back to 2003. The digitized records contained sensitive personal data, such as bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images, and these images had been available without authentication to anyone with a Web browser.
According to the SEC order, the senior executives responsible for the May 2019 public statements had not been apprised of information that would have been relevant to their assessment of the company’s disclosure response and the magnitude of the resulting risk to the company and its customers from the application vulnerability. The order noted that at the time of these public statements, the company’s senior executives had not been informed that the company’s information security personnel had identified the vulnerability several months earlier and that these same personnel had failed to remediate the vulnerability in accordance with the company’s vulnerability remediation management (VRM) policies.
How Did This Happen?
First American’s information security personnel performed a manual penetration test on the EaglePro application, which involved “a security assessment consisting of testing First American’s EaglePro Internet facing application,” between December 2018 and January 2019. That testing revealed a vulnerability in the application. On January 11, 2019, the information security personnel who had performed the manual penetration test shared their report (January 2019) with the company’s information security managers, VRM personnel, and the EaglePro Accountable Remediation Owner (“ARO”). The company’s VRM policies identified the ARO as the “individual responsible for remediating vulnerabilities identified via a vulnerability scan and ingested into the VRM Program.”
The January 2019 Report identified the vulnerability in the EaglePro application as “serious” or level “3” and described the vulnerability as “[a]ccess to PDF’s and OrderDetails without authentication.” The January 2019 Report also noted the following issues highlighting the scope of this vulnerability:
- “[R]eplacing the document ID in the web page URL with another sequential number allows access to other non-related document sessions without authentication.”
- Searches of publicly available search engines “return[] . . . Title related viewable documents within an EaglePo [sic] session and give[] direct access to these documents bypassing authentication and present[] additional related documents in the opened session.”
- “[N]o NPI was discovered in the documents that were reviewed for this report,” but that “[i]t is unknown if any additional documents expose [sic] contained NPI. This requires further investigation by the application owner.”
Under the company’s VRM policies, a level 3 severity vulnerability was considered a “medium risk” and remediation of the vulnerability was required within 45 days. If an ARO was unable to remediate an issue within the timeframe prescribed under the policy, the ARO was to request that his or her manager contact “Information Security” to discuss the remediation plan and proposed remediation time period. If remediation of the vulnerability was not technically possible or if the cost of remediation was prohibitive, the ARO and his or her manager were required to contact “Information Security” to obtain a waiver or risk acceptance approval from the company’s Chief Information Security Officer (CISO). In this case, neither the ARO nor his or her manager requested a waiver or risk acceptance from the CISO.
The bad facts did not stop there. Due to a clerical error, the vulnerability was erroneously entered into the company’s VRM tracking system as a level “2” or “low risk” severity. Even with this input error, a level “2” or “low risk” vulnerability should have been remediated within 90 days. This remediation date, May 8, 2019, was more than two weeks before the company was contacted about the vulnerability by a journalist.
The company’s senior executives who were responsible for the content of the statement to the press on May 24, 2019 and the company’s Form 8-K, with a new press release, submitted to the SEC on May 28, 2019 were not made aware of the January 2019 Report and did not know about the vulnerability described in the January 2019 Report or the company’s failure to timely implement remediation measures prior to the company’s release of these statements. Someone once said that life is about not knowing. That sentiment does not hold true for directors and senior management team members. In this case, their lack of knowledge of the relevant facts regarding this significant system vulnerability and resulting leak of customer information resulted in problems for the company.
What Happened Next?
The SEC order charged First American with violating Rule 13a-15(a) of the Exchange Act. The SEC alleged that First American had failed to maintain disclosure controls and procedures designed to ensure that all available and relevant information concerning the system vulnerability was timely analyzed and appropriately disclosed in the company’s public reports filed with the SEC.
Kristian Littman, Chief of the SEC Enforcement Division’s Cyber Unit commented that “[a]s a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it.” She further noted that “[i]ssuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.” First American did not admit or deny any of the SEC’s findings, but the company agreed to a cease-and-desist order and the payment of a civil money penalty of $487,616 to the SEC.
What are Some Key Take-aways?
Written procedures can provide employees with detailed guidance on any number of important workplace issues, but a procedure is simply a compilation of words. Companies need to ensure that their employees understand and follow all applicable written procedures and that controls are in place and monitored to ensure compliance with these procedural requirements.
Also, a silo mentality can prevent important information from being reported up the corporate ladder. A silo mentality tends to reduce organizational transparency and efficiency and, as it did in this case, increase risks to the company. Companies need to ensure that employees are not reluctant to share information with their managers and that managers are not reluctant to share information on up the corporate ladder. “If you see something, say something” is not simply a phrase limited to the reporting of suspicions of criminal misconduct.
This settlement is a good reminder that companies need to ensure that their directors and senior management team are informed of both the good news and the bad news. It is important for all employees to “walk the words” in the company’s procedures and to “talk to the top” to ensure that issues are reported up the corporate ladder.
Even if your company is not a public company, your directors and senior management team cannot make informed decisions or accurate representations on behalf of the company or ensure that the company has planned and budgeted appropriately for cybersecurity risks and data breach incidents if they are not being regularly and fully informed about the company’s potential cybersecurity risks and actual incidents. As noted in our prior blog posting, corporate directors need to understand their company’s cybersecurity risks and ensure that their companies can timely respond to these risks. They cannot ensure they are providing this kind of proactive oversight if a silo mentality so permeates the company that important information, such as the exposure of over 800 million customer records, does not flow up the corporate ladder in a timely manner.
