Over the last five years, cybersecurity has consistently been a top priority of the Securities and Exchange Commission (“SEC”). We have written about the SEC’s focus on cybersecurity in July 2020 and January 2020. With an additional enforcement action in June, the SEC is continuing to signal that firms regulated by the SEC need to have appropriate risk management and cybersecurity controls in place. While this case study isn’t directly related to Investment Advisers, they would be wise to learn lessons from this story.
First American Financial Corporation (“First American”) is a real estate settlement services provider. In that capacity, they store certain non-public personal information (“NPPI”) of real estate purchasers and sellers. In an internal audit in 2018, an error was caught that certain NPPI stored by First American was not stored securely.
Subsequently, First American conducted a vulnerability test which culminated in a written report in January 2019. In the report, information security personnel determined that certain website URLs that First American provided to people could be replaced with different numbers to create access to NPPI that was unauthorized.
First American’s policies and procedures required it to categorize the risk of the vulnerability, which was incorrectly categorized as “low risk” instead of “medium risk” due to a clerical error. First American also failed to come up with a solution to this vulnerability or reassess its timeframe within the time prescribed by its procedures.
In May of 2019, a journalist informed First American about a vulnerability within their systems that exposed NPPI dating back to 2003. First American provided the journalist with a statement indicating this issue was “of the highest priority” and “the company took immediate action to address the situation.” First American also submitted a Form 8-K which indications that there was “[n]o indication of large-scale unauthorized access to customer information.”
The Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”) both learned about this vulnerability after the journalist contacted First American. The CISO and CIO both participated in meetings with senior executives to craft the disclosures First American made regarding their knowledge and the scope of the breach. However, senior executives of the company were not made aware of the full history of the vulnerability or the January 2019 report.
The SEC ultimately determined that these executives lacked the information needed to fully evaluate the risk and responsiveness of the company when they drafted and approved disclosures. First Financial consented to an order neither admitting nor denying the findings (other than jurisdiction) and a civil monetary penalty of $487,616.
If firms want to avoid enforcement actions such as this one, they need to regularly update their policies and procedures to ensure they are effective. Firm executives, information technology specialists, and compliance departments need to work together to ensure a cohesive strategy is formed each time a vulnerability is identified. There also needs to be sufficient executive oversight of vulnerabilities concerning NPPI to supervise solutions to those vulnerabilities.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our Investment Adviser Group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our Investment Adviser Practice Group page for more information.