by T. GormanPosted on Posted in SECActions

Cybersecurity is a key topic for issuers and members of the public. A cybersecurity breach can put at risk or expose the personal data of thousands of individual. The Commission has brought a number of cases in this area over the years. With the recent focus on international hacking, and organizations with ties to foreign countries blackmailing firms, concern regarding the installation and maintenance of the proper controls is increasing rapidly. The Commission’s most recent case in this area involved a large real estate firm. It is an example of the type of actions that may soon become a focus for SEC enforcement.

In the Matter of First American Financial Corporation, Adm. Proc. File No. 3-20367 (June 14, 2021) is an example of the type of cybersecurity case that may become a new staple of the enforcement program. First American is a California based provider of products and services tied to residential and commercial real estate transaction. The firm’s Title Insurance and Services segment issues title insurance policies on residential and commercial property along with closing and escrow services. The data collected includes material non-public personal information such as social security numbers and financial data. About 91% of the firm’s revenue comes from this segment.

In May 2019 the firm had a repository of about 800 million document images that contained non-public and nonpublic personal information. The images with NPPI were supposed to be marked with the legend “SEC.” Tagging the documents in this manner was done manually. There were misclassifications.

Prior to May 2019 the firm transmitted documents to customers in secure and unsecure packages. The former required password verification by the recipient. The latter did not. Yet the contents of the secure packages could be shared by the recipient with others without password verification.

The system for maintaining and transmitting the materials had a flaw. Before May 2019 a user could take the URL generated as part of a package which contained the link to an image of NPPI and alter the digits to the URL to permit the viewing of other materials. When this flaw was identified the firm’s disclosure control procedures required that it be remedied within relatively short time periods, depending on the severity of the risk. Here the risk should have been categorized as medium but instead was labeled low. It was not remedied within the time limits set for either medium or low risks.

Subsequently, on May 24, 2019 a cybersecurity journalist contacted the firm about its web application noting that there was a leak involving over 800 million documents. First American issued a statement that the journalist published noting that the company had learned of a design issue and “took immediate action to address the situation and shut down external access to the application” The statement was reiterated in a Form 8-K. The senior executives at the firm, however, were not aware of the facts about the incident prior to the statement release. Indeed, those executives were not aware that the vulnerability had been identified months ago. The Order alleges violations of Exchange Act Rule 13a-5.

To resolve the matter, First American consented to the entry of a cease-and-desist order based on the Rule. The firm also agreed to pay a penalty of $487,616.

Tagged with: ,

by T. GormanPosted on Posted in SECActions

There are times when everything in Washington seems to be in grid-lock. One party wants to advance this bill; the other party does not. Everyone meets to discuss and nothing happens except next item up on the agency and time to move on. Was it always like this or is it worse now? Unfortunately, nobody can agree on that either.

That kind of bickering can also trickle down to independent agencies such as the Commission. Those entities were structured to be independent of the political processes. The Commissioners are drawn from different parties to furnish a variety of views. The Chair is selected by the President. And the Senate has to confirm each Commissioner and the Chair.

The question, however, is if the SEC is becoming more politicized? More importantly, if it does become more politicized will the agency be able to faithfully carry out its investor protection obligations?

To date there is some evidence indicating splintering approaches at the agency. Earlier this year Commissioners seemed to have divergent views, for example, on the role of the agency regarding climate change and ESG. See, e.g., Acting Chair Allison Herren Lee, Statement on the Review of Climate-Related Disclosure (February 24, 2021)(here) and Commissioners Hester Peirce and Elad Roisman, Enhancing Focus on the SEC’s Enhanced Climate Change Efforts (March 4, 2021)(here).

Recently, the splintering approach seems to be continuing. Consider, for example, the recent remarks by Commissioners Hester Peirce and Elad Roisman, titled Moving Forward or Falling Back? Statement on Chair Gensler’s Regulatory Agenda (June 14, 2021)(here). There the two Commissioners cite the Unified Agenda of Regulatory and Deregulatory Action released last Friday as the predicate for their comment. The directive to the staff listed on the Agenda “to consider revisiting recent regulatory actions taken with respect to proxy voting advice businesses” was labeled the “opening salvo in an effort to reverse course on a series of recently completed rulemaking,” according to the Commissioners. This includes a series of rule makings ranging from the proxy rules to accredited investors to resource extraction payments.

Historically the Commission has “embraced a transparent, methodical and rigorous rulemaking process to ensure its rules reflect sound policy . . .” that permit registrants to operate in a consistent manner the two Commissioners noted. Yet the items cited have only been on the books for very brief time periods. The point, apparently, is that the Agenda items are really an effort to undo the work of the prior administration.

Perhaps. At the same time it seems clear that Chair Gensler, and those who want to revisit the recently issued rules, could say that the provisions cited were political. Thus they need to be reconsidered. Perhaps.

Regardless of which side is correct, the key point is that the agency is heading toward the kind of gridlock on Capitol Hill and Congress. If that is the case its independence is being compromised; the losers will be the registrants, markets and the public. Transparency and investor protection will be lost in a cloud of political posturing. In the end, the agency will not be able to fulfill its historic mission. Before that happens perhaps the Chair and the Commissions can take a step back and consider the mission of the agency and their responsibility to help implement it.

Tagged with: ,