Disclosure Controls and Procedures – Not Just a Quarterly Certification

On June 15, 2021, the SEC announced that it had settled charges against First American Financial Corporation for failures in First American’s disclosure controls and procedures.  Rule 13a-15(a) under the Exchange Act requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. 

According to the SEC’s order, in May 2019, company management learned from a journalist that the company was experiencing a cybersecurity vulnerability that had resulted in the inadvertent public availability of customers’ personal data.  First American responded by issuing a statement to the press explaining that the company had learned of a design defect that had resulted in “possible unauthorized access to customer data” and had taken “immediate action to address the situation and shut down external access” to the data.  A few days later, First American issued a press release that was also furnished on Form 8-K.  In the release, the company reported that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.”

Contrary to these disclosures, the SEC found that the vulnerability had exposed sensitive personal data, including social security numbers, in over 800 million images of customer documents for a period dating back to as early as 2003.  The SEC also found that the senior executives of the company who were responsible for the May 2019 disclosures were, when approving such disclosures, lacking certain information necessary for them to assess the magnitude of the risk, as well as First American’s response to the risk.  In particular, the SEC determined that management did not know that the company’s information security personnel had identified the vulnerability several months earlier and had not remediated it as required by the company’s “vulnerability remediation management” policies.    

Based on this conduct, the SEC found that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the company’s cybersecurity vulnerability was analyzed by management in connection with the company’s filings with the SEC.  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.  The chief of the SEC Enforcement Division’s Cyber Unit noted that “[i]issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”