On June 14, the Securities and Exchange Commission (SEC) announced a $490,000 settlement with the real estate services provider First American Financial Corporation (First American) for violations of disclosure controls and procedures related to cybersecurity vulnerabilities. Notably, the SEC’s case against First American did not specifically focus on a cyberattack or allege an underlying securities fraud charge, as many of its past cybersecurity enforcement actions have. The First American case signals the SEC Enforcement Division’s continued spotlight on cybersecurity issues and underscores the need for issuers to review and maintain adequate cybersecurity disclosure policies and procedures. We summarize here first some of the Commission’s recent cybersecurity-related enforcement actions and then highlight the First American proceeding.
Background
In February 2018, the SEC issued interpretive guidance on cybersecurity disclosure that emphasized the importance of disclosure controls and procedures and reminded companies and corporate insiders that selective disclosures of material nonpublic information about cybersecurity risks or incidents could implicate concerns…
