{"id":1300,"date":"2024-12-18T02:22:45","date_gmt":"2024-12-18T02:22:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1300"},"modified":"2024-12-18T02:22:45","modified_gmt":"2024-12-18T02:22:45","slug":"lesson-from-latest-sec-fine-for-not-completely-disclosing-data-breach-details-be-truthful","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1300","title":{"rendered":"Lesson from latest SEC fine for not completely disclosing data breach details: \u2018Be truthful\u2019"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A $3.55 million civil penalty levied this week by a US financial regulator against a Michigan bank for filing misleading statements about the theft of 1.5 million people\u2019s data is a reminder to leaders of all organizations to be upfront about cyber incidents.<\/p>\n

\u201cThe message is, \u2018Be truthful with your disclosures,\u2019\u201d said Bob Zukis, executive director of the US-based Digital Directors Network, a group of CISOs, CIOs, and corporate directors.<\/p>\n

\u201cDon\u2019t misrepresent what happened, and be forthcoming about what happened, both in your [publicly-required] annual disclosures and your incident disclosures.\u201d<\/p>\n

He was commenting on the order made this week by the Securities and Exchange Commission (SEC) against Flagstar Bancorp<\/a> (now known as Flagstar Financial) in response to a 2021 data breach.<\/p>\n

A March 2022 annual filing by Flagstar said cybersecurity attacks \u201cmay interrupt our business or compromise the sensitive data of our customers,\u201d the SEC order noted, but Flagstar didn\u2019t disclose that it had already suffered cyber attacks that resulted in the exfiltration of sensitive customer data, and that the breach had interrupted its business.<\/p>\n

In addition, the SEC said, a June 2022 notice to customers posted on its website and an August regulatory filing included additional materially misleading statements concerning the scope of the 2021 breach. Specifically, those statements said there was unauthorized \u201caccess\u201d to its network and customer data, but Flagstar knew the breach had disrupted several of its network systems, and that customer personal information had been exfiltrated from its network.<\/p>\n

The SEC\u2019s order also found that Flagstar failed to maintain disclosure controls and procedures regarding cybersecurity incidents designed to ensure that relevant information to assess materiality was considered by disclosure decision makers, to allow timely decisions regarding potentially required disclosure.<\/p>\n

Without admitting to or denying the findings in the SEC\u2019s order, Flagstar agreed to cease and desist from committing or causing any violations of these provisions, and to pay a US$3.55 million civil monetary penalty.<\/p>\n

This agreement was made under the SEC\u2019s old disclosure rules. Tighter new rules came into effect last year.<\/a><\/p>\n

CISOs beware: the SEC is watching<\/h2>\n

\u201cThe lessons [of this latest ruling] are that the SEC is paying attention to this issue,\u201d Zukis said, \u201cso get your house in order in terms of the new rules.\u201d<\/p>\n

\u201cThe SEC is being very patient with the new rules,\u201d he added. But, he alleged, \u201cthere\u2019s an enormous amount of non-compliance to the new rules. Companies are not describing the material impact of an incident in their current filings under the new rules. So get focused on your processes, get your documentation in place and disclose [information in filings] truthfully.\u201d<\/p>\n

\u201cThis isn\u2019t rocket science,\u201d he said, \u201cbut it requires some consistency and maturity in processes. The SEC will hold you accountable if you\u2019re playing fast and loose with these rules. If your documentation [of cyber incidents] is inconsistent, you don\u2019t have a mature process \u2026 It\u2019s not about getting it right or wrong. It\u2019s about showing you have some maturity as a business management and governance body to consistently apply some thoughtfulness and rigor to the process.\u201d<\/p>\n

Companies outside the jurisdiction of the SEC should also pay attention to proper public disclosure of cyber incidents, Zukis added.<\/p>\n

\u201cAll companies have investors,\u201d he said. \u201cThe SEC requirement is just a particular US compliance issue. So the real issue is recognizing that understanding how cybersecurity risk impacts any investor\u2019s or stakeholder\u2019s interests is good management and governance. Any and every company should focus on maturing these processes; it will serve them and their stakeholders well, even if they don\u2019t have the same the SEC compliance requirements.\u201d<\/p>\n

Other recent penalties<\/h2>\n

CISOs and boards should also note that in October, the SEC imposed nearly US$7 million in penalties against four IT companies<\/a> \u2014 again, under the old disclosure rules \u2014 for allegedly making misleading disclosures stemming from the 2020 hack of the SolarWinds Orion network monitoring suite.<\/p>\n

Under the deal:<\/p>\n

Unisys<\/strong> agreed to pay a US$4 million civil penalty for describing in a filing its risks from cybersecurity events as hypothetical, even though at the time it knew it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data;<\/p>\n

Avaya Holdings<\/strong> agreed to pay a US$1 million civil penalty because it reported that a threat actor had accessed \u201ca limited number\u201d of company email messages when it also knew at least 145 files in its cloud file sharing environment were exposed;<\/p>\n

Check Point Software<\/strong> agreed to pay a US$995,000 civil penalty after the SEC concluded it knew of the intrusion, but described cyber intrusions and risks from them in generic terms;<\/p>\n

Mimecraft<\/strong> agreed to pay a US$900,000 penalty after the regulator found the company minimized the attack by not disclosing the nature of the software code the threat actor exfiltrated and the quantity of encrypted credentials that were accessed.<\/p>\n

These four companies didn\u2019t admit to or deny the SEC findings.<\/p>\n

In a separate action, the SEC claimed SolarWinds officials, including its CISO, made material misrepresentations and omissions about its cybersecurity practices and risks, in public filings and on its website, relating to the hack. It also alleged the company failed to maintain controls to safeguard its software. In July, a US district judge dismissed most of the charges, but said a 2017 security statement on its website could have been false or misleading.<\/p>\n

In a statement Tuesday, a spokesperson for SolarWinds said the company is pleased the judge largely granted its motion in July to dismiss the SEC\u2019s claims. \u201cWe look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate,\u201d the spokesperson said. \u201cWe are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.\u201d<\/p>\n

The fact that some SEC charges against SolarWinds\u2019 CISO still have to be dealt with \u201cmay give corporate compliance officers pause,\u201d said the New York law firm of Kramer Levin in a recent commentary to clients<\/a>. \u201cBecause lower-level officers may be personally liable for company misrepresentations, the case should be a warning to officers to ensure accuracy in all company statements they have a hand in drafting, even if they are not themselves in charge of disclosures, and even if the statements are directed at customers and not investors.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A $3.55 million civil penalty levied this week by a US financial regulator against a Michigan bank for filing misleading statements about the theft of 1.5 million people\u2019s data is a reminder to leaders of all organizations to be upfront about cyber incidents. \u201cThe message is, \u2018Be truthful with your disclosures,\u2019\u201d said Bob Zukis, executive […]<\/p>\n","protected":false},"author":0,"featured_media":1282,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1300","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1300"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1300"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1300\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1282"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}