SEC Fines Firm for Alleged Cyber Disclosure Failures

The SEC recently reached a nearly $500,000 settlement with a publicly-traded real estate settlement company after the company allegedly failed to properly disclose cybersecurity defects, violating the Securities Exchange Act of 1934, Rule 13a-15(a). The defects exposed personal financial information on over 800 million mortgage insurance records dating back to 2003.

Rule 13a-15(a) “requires every issuer of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.” The SEC alleged that the company knew of the serious vulnerabilities in the company’s document-sharing system at least five months before an independent journalist warned the public in May 2019. The firm consented to the entry of an order finding a violation of Rule 13a-15, but neither admits nor denies the allegations in the order except as to jurisdiction.