Clifford Chance
SEC Enforcement Action Against First American Underscores Importance of Accurate Disclosures of Cybersecurity Risk
June 16, 2021
Signalling the increasing risks companies face not just from cybersecurity breaches but also disclosures about those vulnerabilities, the Securities and Exchange Commission announced a settlement with First American Financial Corporation on June 15, 2021, regarding a cybersecurity vulnerability in the company's systems that exposed hundreds of millions of financial documents, many of which contained sensitive personal data such as social security numbers and financial information. First American agreed to an approximately USD 500,000 civil penalty along with an order to cease and desist from committing or causing future violations. Of note, the SEC charges against First American were not based on inadequate cybersecurity; rather, the Commission fined the issuer for inaccurate and incomplete public disclosures stemming from the company's failure to ensure that senior executives were adequately informed of the vulnerability and the resulting risk to the company. The settlement underscores how important it is for senior executives to stay informed about a company's cybersecurity health.
