The Securities and Exchange Commission fined a real estate services company for inadequate disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed hundreds of thousands of sensitive customer records.
In 2019, a cybersecurity journalist discovered and notified the real estate services company about a vulnerability with its document and images sharing app that exposed over 800 million images dating back to 2003, including documents that contained sensitive personal information such as Social Security numbers and other nonpublic financial information. The company issued a press release the same day, and furnished a Form 8-K notifying the SEC of the incident.
According to the SEC’s order, however, senior executives responsible for issuing the press release had not been made aware that the company’s information security team had identified the vulnerability responsible for the data leak months earlier, and failed to remediate these vulnerabilities in accordance with company policy.
Neither the public statement, nor the Form 8-K, contained any mention of the company’s prior awareness of the vulnerability, presenting the revelation, instead, as the first instance the company knew of the vulnerability. The SEC’s investigation uncovered, however, that the Chief Information Security Officer and the Chief Information Officer learned of an internal manual penetration test performed in January 2019 which found “serious” or “level 3” vulnerability in the app in the days prior to the company submitting its disclosures, but failed to share this information with senior executives responsible for the regulatory disclosures.
The SEC Charges
The SEC found that the company failed to maintain disclosure controls and procedures designed to ensure all available, relevant information concerning the vulnerability, was analysed for disclosure in the company’s public reports filed with the commission. The SEC’s order charged violations of Rule 13a-15(a), 17 C.F.R. § 240.13a-15 of the Exchange Act. Without admitting or denying the SEC’s findings, the company agreed to pay a $487,616 penalty.
As explained in the SEC Order, Exchange Act Rule 13a-15(a) requires that every issuer of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it filed or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.
Regulators are paying close attention to cyber security incident responses, and scrutinizing the quality of investigations. Companies should, therefore, resist the temptation to sidestep a thorough investigation when responding to a compromise of critical systems or other data security incident in exchange for swift or premature notification to affected individuals, corporate clients, and regulatory authorities. When facing a data security incident, invest appropriate time and resources into the investigation. Understand the root cause, reliably assemble what is known or unknown about the compromised system under attorney-client privilege, and only then make public statements in accordance with applicable law. In addition, routinely audit your own internal security incident response plan. Few efforts reveal more about your organization’s readiness than honest testing. Run through some core questions and scenarios, and then use those experiences to enhance your incident response plan. Finally, it is often worthwhile to check your own internal team’s findings with an external forensics provider. In the heat of responding to an incident, objective external voices about your specific situation can prove invaluable.
To read the full SEC Order, click here. If you have any questions about this enforcement action or any other privacy law, please do not hesitate to reach out to one of the Contact Partners listed below.