Once again, a “control failure” is a lever used by SEC
Enforcement to bring charges against a company, this time for
failure to timely disclose a cybersecurity vulnerability.
Yesterday, the SEC announced settled charges against a real estate
settlement services company, First American Financial Corporation,
for violation of the requirement to maintain adequate disclosure
controls and procedures “related to a cybersecurity
vulnerability that exposed sensitive customer
information.” This action follows charges regarding
control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting
to make a case about funny accounting or, in Andeavor, a defective
10b5-1 plan, the SEC opted to make its point by, among other
things, charging failure to maintain and comply with internal
accounting controls or disclosure controls and
procedures. Companies may want to take note that charges
related to violations of the rules regarding internal controls and
disclosure controls seem to be increasingly part of the SEC’s
Enforcement playbook, making it worthwhile for companies to make
sure that…
