URL has been copied successfully!
Lesson from latest SEC fine for not completely disclosing data breach details: ‘Be truthful’
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

Lesson from latest SEC fine for not completely disclosing data breach details: ‘Be truthful’

by

Andy Stern
in

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

A $3.55 million civil penalty levied this week by a US financial regulator against a Michigan bank for filing misleading statements about the theft of 1.5 million people’s data is a reminder to leaders of all organizations to be upfront about cyber incidents.”The message is, ‘Be truthful with your disclosures,’” said Bob Zukis, executive director of the US-based Digital Directors Network, a group of CISOs, CIOs, and corporate directors.”Don’t misrepresent what happened, and be forthcoming about what happened, both in your [publicly-required] annual disclosures and your incident disclosures.”He was commenting on the order made this week by the Securities and Exchange Commission (SEC) against Flagstar Bancorp (now known as Flagstar Financial) in response to a 2021 data breach.A March 2022 annual filing by Flagstar said cybersecurity attacks “may interrupt our business or compromise the sensitive data of our customers,” the SEC order noted, but Flagstar didn’t disclose that it had already suffered cyber attacks that resulted in the exfiltration of sensitive customer data, and that the breach had interrupted its business.In addition, the SEC said, a June 2022 notice to customers posted on its website and an August regulatory filing included additional materially misleading statements concerning the scope of the 2021 breach. Specifically, those statements said there was unauthorized “access” to its network and customer data, but Flagstar knew the breach had disrupted several of its network systems, and that customer personal information had been exfiltrated from its network.The SEC’s order also found that Flagstar failed to maintain disclosure controls and procedures regarding cybersecurity incidents designed to ensure that relevant information to assess materiality was considered by disclosure decision makers, to allow timely decisions regarding potentially required disclosure.Without admitting to or denying the findings in the SEC’s order, Flagstar agreed to cease and desist from committing or causing any violations of these provisions, and to pay a US$3.55 million civil monetary penalty.This agreement was made under the SEC’s old disclosure rules. Tighter new rules came into effect last year. “The lessons [of this latest ruling] are that the SEC is paying attention to this issue,” Zukis said, “so get your house in order in terms of the new rules.””The SEC is being very patient with the new rules,” he added. But, he alleged, “there’s an enormous amount of non-compliance to the new rules. Companies are not describing the material impact of an incident in their current filings under the new rules. So get focused on your processes, get your documentation in place and disclose [information in filings] truthfully.””This isn’t rocket science,” he said, “but it requires some consistency and maturity in processes. The SEC will hold you accountable if you’re playing fast and loose with these rules. If your documentation [of cyber incidents] is inconsistent, you don’t have a mature process “¦ It’s not about getting it right or wrong. It’s about showing you have some maturity as a business management and governance body to consistently apply some thoughtfulness and rigor to the process.”Companies outside the jurisdiction of the SEC should also pay attention to proper public disclosure of cyber incidents, Zukis added.”All companies have investors,” he said. “The SEC requirement is just a particular US compliance issue. So the real issue is recognizing that understanding how cybersecurity risk impacts any investor’s or stakeholder’s interests is good management and governance. Any and every company should focus on maturing these processes; it will serve them and their stakeholders well, even if they don’t have the same the SEC compliance requirements.”

Other recent penalties

CISOs and boards should also note that in October, the SEC imposed nearly US$7 million in penalties against four IT companies, again, under the old disclosure rules, for allegedly making misleading disclosures stemming from the 2020 hack of the SolarWinds Orion network monitoring suite.Under the deal:

    Unisys agreed to pay a US$4 million civil penalty for describing in a filing its risks from cybersecurity events as hypothetical, even though at the time it knew it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data;Avaya Holdings agreed to pay a US$1 million civil penalty because it reported that a threat actor had accessed “a limited number” of company email messages when it also knew at least 145 files in its cloud file sharing environment were exposed;Check Point Software agreed to pay a US$995,000 civil penalty after the SEC concluded it knew of the intrusion, but described cyber intrusions and risks from them in generic terms;Mimecraft agreed to pay a US$900,000 penalty after the regulator found the company minimized the attack by not disclosing the nature of the software code the threat actor exfiltrated and the quantity of encrypted credentials that were accessed.These four companies didn’t admit to or deny the SEC findings.In a separate action, the SEC claimed SolarWinds officials, including its CISO, made material misrepresentations and omissions about its cybersecurity practices and risks, in public filings and on its website, relating to the hack. It also alleged the company failed to maintain controls to safeguard its software. In July, a US district judge dismissed most of the charges, but said a 2017 security statement on its website could have been false or misleading.In a statement Tuesday, a spokesperson for SolarWinds said the company is pleased the judge largely granted its motion in July to dismiss the SEC’s claims. “We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate,” the spokesperson said. “We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”The fact that some SEC charges against SolarWinds’ CISO still have to be dealt with “may give corporate compliance officers pause,” said the New York law firm of Kramer Levin in a recent commentary to clients. “Because lower-level officers may be personally liable for company misrepresentations, the case should be a warning to officers to ensure accuracy in all company statements they have a hand in drafting, even if they are not themselves in charge of disclosures, and even if the statements are directed at customers and not investors.”

    First seen on csoonline.com

    Jump to article: www.csoonline.com/article/3627021/lesson-from-latest-sec-fine-for-not-completely-disclosing-data-breach-details-be-truthful.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link

also interesting:

  1. Cybersecurity Snapshot: Study Raises Open Source Security Red Flags, as Cyber Agencies Offer Prevention Tips Against Telecom Spying Attacks
  2. Future of proposed US cybersecurity healthcare bills in doubt
  3. 17 hottest IT security certs for higher pay today
  4. Who’s Afraid of a Toxic Cloud Trilogy?