New Cybersecurity Enforcement Case by the SECCrelano@mahadvising.com
New Cybersecurity Enforcement Case by the SEC
The Securities and Exchange Commission (“SEC”) has consistently put cybersecurity at the top of its priority list for the past five years. We also have an article about the SEC’s priorities for 2021 that you may find useful. Aside from a cybersecurity enforcement case in June, the SEC continues to advise securities firms they must ensure that their risk management, cybersecurity, and regulatory compliance plans are up-to-date. The case study that follows may not directly relate to investment advisors, but investment advisors would benefit from its lesson.
A provider of real estate settlement services, First American Financial Corporation (“First American”) operates in the United States. In the course of doing so, they maintain certain nonpublic personal information (“NPPI”) concerning real estate sellers and purchasers. One of the errors discovered during an internal audit by First American in 2018 concerned the way specific NPPI records were stored.
An overview of vulnerabilities was published by First American in January 2019 following a dedicated vulnerability test. According to the report, First American employees found that certain URLs on the company’s website were vulnerable to being tampered with so that an unauthorized user could gain access to NPPI.
In accordance with company procedures and policies, First American conducted an assessment of the vulnerability, which fell under the incorrect category of low risk rather than medium risk. A solution to this vulnerability was not provided by First American or its time frame was not reviewed within the timeframe stated in its procedures.
NPPI dating back to 2003 was exposed as the result of a vulnerability within First American’s systems revealed by a journalist in May of 2019. According to the statement provided by First American, the situation was “of top priority,” and “the company immediately addressed it.” In addition, First American filed Form 8-K reporting there were “[n]o indications of extensive unauthorized access to customer records.”
Both the Chief Information Officer (“CIO”) and the Chief Information Security Officer (“CISO”) became aware of this security hole following communication from a First American journalist. As part of the disclosures First American made regarding the breach, First American’s CISO and CIO appeared in meetings with senior executives. The company’s senior executives, however, did not receive a full report on the security flaw or the January 2019 investigation.
It was concluded by the SEC that when these executives approved and drafted disclosures, they did not have the information needed to evaluate the company’s risk and responsiveness fully. As a result of the settlement, First Financial did not admit or deny the findings (other than jurisdiction) and resolved to pay $487,616 in additional civil monetary penalties.
A firm’s policies and procedures must be regularly updated to ensure they are effective if they wish to avoid cybersecurity enforcement cases such as this one. To ensure a cohesive strategy is developed when a vulnerability is identified, firm executives, IT specialists, and compliance departments need to work hand in hand. Additionally, NPPI security vulnerabilities need to be overseen by executives who have sufficient authority to oversee solutions.
MAH Advising assists broker-dealers, investment advisers, issuers of securities, registered representatives, and hedge funds with their legal and compliance needs. Our firm assists companies in complying with federal and state laws and regulations as well as other complex issues arising during the course of their business.