On June 15, 2021, the SEC announced the settlement of charges against a real estate settlement services company relating to “cybersecurity vulnerability that exposed sensitive customer information.” However, the enforcement proceeding was not directed at the failure to protect the information. Rather, it was based upon the company’s deficient disclosure controls and procedures.
The basis for the proceeding was that, after learning of a vulnerability that could compromise the information, the company issued a press statement and filed an 8-K report, both of which failed to report that the vulnerability had been identified several months earlier but had not been remediated in accordance with company policy. As a result, the SEC found that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information…was analyzed for disclosure” in the company’s SEC filings, and the company agreed to a cease-and-desist order and to pay a $487,616 penalty.
This is at least the second time in several months that the SEC has used internal or disclosure controls to penalize a company for conduct having little or nothing to do with those controls (for example, see here). Public companies should keep these cases in mind when dealing with a wide variety of matters.
Please direct any questions or observations to Gunster securities law and corporate governance practice leader Bob Lamm.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
