Firm Did Not Fully Disclose Cybersecurity Vulnerability
The SEC fined a public company for failing to fully disclose the nature and extent of a cybersecurity vulnerability.
A journalist notified senior company executives of a cyber weakness that would allow a hacker to see personal information of mortgage customers on real estate transaction documents. The company issued an 8-K describing the issue on the next trading day. The SEC alleges that information security personnel knew about the vulnerability for at least 5 months and suspected that the issue dated back several years. However, the security officers did not inform the senior execs responsible for the 8-K, thereby allowing for the omission of material information. The SEC charges the company with failing to implement effective disclosure controls and procedures, as required by the Exchange Act.
For public companies and other registrants that are required to disclose cybersecurity breaches, speed is important but so is completeness and transparency. Make sure that you have a process to funnel critical information to those making the disclosures. Also, remind the IT folks that their decisions could have a regulatory impact.
Read Order here.