According to the Ponemon Institute’s Cost of a Data Breach Report, the average cost of a data breach in the United States in 2020 was $8.64 million. That is the price you pay when even a generally careful employee accidentally clicks on a phishing email. Securities Exchange Commission (SEC) First American Financial Corporation case insists the companies inform its investors regarding the cyber risks.
Despite the rise in the number of cyberattacks and costs, cybersecurity is was a subject concerning the tech or Business Continuity Management (BCM) teams and has not garnered the much-needed attention at the Board Level (except maybe when ransoms are to be paid). Sadly, in a recent survey, only 4% of executive respondents stated that cybersecurity is on Board meeting agendas every month. This is alarming!
All this is happening, despite increased government scrutiny. For instance, in 2018, the Securities Exchange Commission (SEC) included disclosure of cybersecurity controls and procedures in Rule 13a-15(a). The SEC also released guidelines that encouraged companies to establish disclosure procedures for cyber risks and incidents. Companies traditionally release the details of a cyber incident and its effect on the business only after an incident has occurred. These included the cyber incident reports that have occurred in the past, such as data breaches, system control failures, hacks control violations.
But the 2018 guidelines have asked organizations to include any known potential vulnerabilities that could impact the business. It also must include the cyber risk measures the company has or is planning to implement, such as cyber insurance costs, incident response plans, detection mechanisms, and more. Investors and the general public must be able to assess the company’s potential cyber-posture and risk. A few of the disclosures include:
- The cybersecurity risks that are likely to make investments in your securities speculative or risky. These include but are not limited to cyber insurance coverage and premiums, the laws and regulations in your industry that affect cybersecurity, and the associated costs.
- Cybersecurity efforts in place and the cost incurred.
- Cybersecurity-related legal proceedings, if any.
- How do a cybersecurity incident and its resultant risks affect the company’s financial statements?
- Cybersecurity risk management policies and procedures adopted.
- Cybersecurity risk mitigation policies that prevent insider trading based on non-public information.
Now a landmark announcement made by SEC on June 15, 2021, on the First American Financial Corporation case, should make businesses take this guidance more seriously.
Background of the SEC First American Case
The plaintiff here is First American Financial Corporation, a Delaware-based organization headquartered in Santa Ana, California. It provides products and services related to residential and commercial real estate transactions, including title insurance and escrow services.
The corporation in 2013 launched an application called EaglePro. The application had a security vulnerability that was exploited to cause about 800 million images to be leaked. Most of these images contained purchasers’ and sellers’ non-public personal information (“NPPI”) such as social security numbers and financial information.
Despite reporting this to SEC through form 8-K on May 28, 2019, the senior management of First America was not apprised of the relevance of such information. Hence the risk this vulnerability posed was not included in the company’s disclosure response.
“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
What does this mean to the organizations?
The result of the SEC’s investigation was a verdict against First America to pay a $487,616 penalty. The attention it brings to the cybersecurity risks being part of an organization’s roadmap is vital. SEC has established a precedent through this announcement. The companies will have to be concerned about regulatory suits from SEC if they are not taking their cybersecurity disclosures seriously.
The Crux of the SEC First American Case
It is clear from the SEC First American case, that SEC is considering cybersecurity seriously and wants to make cybersecurity a shared responsibility. The point of the act is not only about risk management but also about bringing transparency. First American Corporation had failed to keep compliance and disclosure executives informed of significant cyber risks. The cyber risks that are being addressed should be disclosed so that investors can make an informed decision.
Get the Alliant Advantage
It is time to buckle up and start building cybersecurity-related policies that are more transparent. Your policies must inspire confidence in your investors. They can be certain that you can manage imminent cyber risks to the best extent possible.
Here is where experts from Alliant Cybersecurity can make a difference. Founded by a group of industry leaders with decades of experience in cybersecurity, professional services, and legislation, we make sure you follow the required guidelines and compliances. Additionally, our team works with all your internal departments. It offers expert consultation to develop your policies that are cutting-edge, low-cost, forward-looking, and implementable if a crisis should arise.