The Securities and Exchange Commission (SEC) has ramped up its cybersecurity enforcement, filing several administrative orders and signaling increased scrutiny of both cyber-related disclosures and compliance with the Safeguards Rule.
I. Inadequate Cybersecurity Disclosure Enforcement
Two recent SEC orders focused on violations of the cybersecurity risk disclosure obligations pursuant to the reporting requirements of the Securities Act and the Securities Exchange Act. The SEC’s 2018 Statement and Guidance on Public Company Cybersecurity Disclosures called attention to public companies’ obligations to “inform investors about material cybersecurity risks and incidents in a timely fashion.” The guide emphasizes the need to disclose cybersecurity incidents and to implement controls to provide open communication and make timely disclosures regarding risks and incidents, to both the SEC and to executive officers. The following orders illustrate how critical the SEC believes these disclosures and disclosure controls are.
A. SEC Enforcement against Pearson
Pearson, a multinational educational publishing and services company, was fined by the SEC for material misstatements and omissions related to a 2019 cybersecurity event that effected 13,000 of Pearson’s customers. In its August 16, 2021 order, the SEC focused on statements in Pearson’s Form 6-K[1] disclosure and in a media statement made several months after Pearson discovered a breach. According to the order, the vulnerability that was eventually exploited by hackers, exposing millions of rows of student data, was brought to the attention of Pearson via notice from the software manufacturer in September 2018. Pearson did not implement the patch until March 2019, when they allegedly first learned of the breach, and did not notify affected individuals until late July 2019.
Nevertheless, Pearson filed a Form 6-K in late July 2019, stating that the risk of a data privacy incident or failure to comply with data privacy regulations could result in a major data privacy or confidentiality breach. This statement was identical to Pearson’s prior Form 6-K disclosures and did not reference or signal that, in fact, Pearson had a major data privacy breach. In a media statement, Pearson disclosed certain facts about the incident and stated that it had “strict data protections” in place.
The SEC took issue with Pearson’s Form 6-K and its media statement. In particular, the SEC found that the hypothetical reference to a cybersecurity incident on the Form 6-K was misleading, given that a very real, non-hypothetical incident had actually occurred. Additionally, the SEC cited the media statement as misleading because Pearson allegedly failed to disclose actual data exfiltration of usernames and passwords, and it stated that it had “strict data protections” in place, when in fact, it failed for months to patch a vulnerability.
The SEC found that Pearson violated Section 17 of the Securities Act, requiring accurate and true statements of material facts in reporting, and Section 13 of the Exchange Act, requiring disclosure controls and procedures. Pearson was fined $1,000,000.
B. SEC Enforcement Against First American Financial Corp.
The SEC’s enforcement order against First American Financial Corp. (First American), a real estate settlement services and title insurance provider, focused on alleged disclosure deficiencies related to internal disclosure controls and procedures concerning a cybersecurity vulnerability.
Significantly, the enforcement order did not arise out of a breach, but instead out of an exposed vulnerability in First American’s EaglePro application (EaglePro). EaglePro, used for document sharing related to real estate transactions, contained millions of confidential data points. Long before First American’s May 28, 2019 SEC Form 8-K submission and press release about the vulnerability, internal cybersecurity personnel allegedly were aware of its existence. The SEC alleged that during scheduled manual penetration testing in January 2019, it was discovered that EaglePro document URLs could be altered to gain access to other documents. Additionally, cached images of title and escrow documents were found on search engines. Despite this discovery, the vulnerability was not remediated.
Though this alleged failure to remediate in and of itself could be a significant cybersecurity issue, the SEC focused on First American’s failure to inform its CISO and CIO about the vulnerability. According to the SEC, it was not until a cybersecurity journalist, on May 24, 2019, revealed his knowledge of the vulnerability that First American took steps to notify the public. After this revelation, First American filed a Form 8-K with the SEC.[2] At the time of filing the Form 8-K, First American’s Senior Executives allegedly were not aware that this vulnerability had been identified several months earlier and that the vulnerability had not been patched or remediated at that time.
The SEC fined First American $487,616 for violating Rule 13 of the Exchange Act, specifically citing the senior executives lack of knowledge of the discovery of the vulnerability in January 2019 and their public statements claiming that they “took immediate action to address the situation” as deficiencies in their disclosure controls and procedures.[3]
II. Violations of the Safeguard Rule
Three separate SEC orders alleging violations of the SEC’s Safeguards Rule were filed against a group of Cetera entities, a group of Cambridge entities, and KMS Financial Services Inc. The firms are all registered broker-dealer and investment advisors with both corporate employees and independent contractor representatives.
The Safeguards Rule requires every broker, dealer, investment company and investment advisor registered with the SEC to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information. 17 CFR § 248.30. The written policies and procedures must be reasonably designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security and integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Full implementation of the written policies is required, advised the SEC’s Chief of the Enforcement Division’s Cyber Unit, stating: "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."[i]
A. SEC Enforcement Against Cetera Entities
Cetera Entities (Cetera), SEC-registered broker-dealers and investment advisors, used cloud-based email services for communications. Despite an information security policy that required the use of Multi-Factor Authentication(MFA) “wherever possible but at a minimum for privileged and high risk access” for any cloud-based service, Cetera allegedly did not enforce this policy. The SEC alleged that between November 2017 and June 2020, over 60 Cetera email accounts were taken over, exposing an estimated 4,388 customer’s personally identifying information (PII). After the first incident was discovered, Cetera required MFA for employees, but not for contractor representatives. Subsequently, contractor representative emails were taken over, resulting in the exposure of thousands of customers’ PII.
The SEC enforcement order, cited Cetera’s alleged failure to fully implement the MFA requirement for emails and its alleged misleading statements in Cetera’s notice of breach letters from 2018 and 2019. The SEC asserted that Cetera’s policy requiring MFA “was not reasonably designed to be applied to email accounts of Cetera Entities’ contractor representatives and offshore contractors, whose systems and access to sensitive data was generally at the same or higher risk of compromise than the systems and access used by Cetera Entities’ employees.” Additionally, the SEC cited Cetera for inaccurate breach timeline statements in letters sent to customers in 2018 and 2019. These letters referenced the breaches as “recent,” indicating they had occurred two months prior. Given that the breaches had actually occurred six months prior, the SEC deemed that the letters were misleading and may have caused customers to miss suspicious activity in their email. Cetera was fined $300,000.
B. SEC Enforcement Against Cambridge Entities
In a similar enforcement order, the SEC fined Cambridge Entities $250,000 for its failure to implement firm-wide enhanced security measures for several years after the discovery of email account takeovers. The SEC asserted that Cambridge had provided only guidance to its 4,330 independent contractors and did not require them to implement the written policies regarding the use of MFA. Additionally, upon the discovery that several independent contractors had their email accounts taken over, Cambridge allegedly still did not require the use of MFA, which allegedly resulted in the exposure of approximately 2,177 customers’ PII.
C. SEC Enforcement Against KMS
The SEC’s enforcement order against KMS, a broker-dealer and investment advisory firm, also involved allegedly incomplete and delayed implementation of cybersecurity policies. The SEC alleged that, for more than a year, KMS financial advisor email accounts were accessed by unauthorized third parties, resulting in the exposure of approximately 4,900 customer accounts. In one instance, 2,700 emails from one advisor were exposed for 26 days. KMS’ forensic investigation team recommended expediting MFA for all employee and independent contractor email addresses. KMS changed the passwords and enabled MFA immediately, but only for the impacted email accounts. Full implementation did not occur until 21 months after the breach discovery. Additionally, the SEC cited KMS’ failure to use a specifically tailored Incident Response Policy as a violation of the Safeguards Rule. KMS was fined $200,000.
III. Conclusion
What these five SEC enforcement orders demonstrate is two-fold. First, they make clear that SEC-registered companies should focus as much on implementation of their cybersecurity policies and procedures as they do on writing them. Written policies and procedures are not simply not enough if full and comprehensive implementation isn’t achieved. Second, they evidence the SEC’s willingness and ability to extensively investigate and subsequently sanction companies for cyber-related deficiencies, even in the absence of a data breach.
[1] The SEC’s Form 6-K is a required disclosure for any foreign securities issuer, and requires the company to include any material information that may affect the sale of the securities.
[2] Form 8-Ks are used by companies to report unscheduled material events of importance to shareholders
[3] Also of note are charges against First American Title Insurance Company, by the New York Department of Financial Services (NYDFS), filed first in July 2020 and amended in March 2021, for violations of NYDFS’ Cybersecurity Regulation. The charges allege deficiencies in its vulnerability management program, deficiencies in qualifications of key personnel and failure to remedy a known vulnerability, exposing hundreds of millions of documents containing consumer personal information. A hearing is set for January 21, 2022.
[i] SEC Announces Three Actions Charging Deficient Cybersecurity Procedures, https://www.sec.gov/news/press-release/2021-169 (August 30, 2021)