First American Financial Corporation (FAFC) is facing the first-ever penalty from the SEC in the form of a cease-and-desist order and civil fines, as a result of their lack of disclosure controls and systems surrounding their cybersecurity risk management.
Regulators are cracking down to enforce Cybersecurity regulations, leading to potential financial penalties and other civil sanctions, like the cease-and-desist orders FAFC is currently facing. The penalties are large fines extending the scope of liability to C-Level Executives and Board Members.
The combined enforcement action by the SEC and NYSDFS against First American Financial Corporation for their failures in their cybersecurity risk management practices may have the same impact, if not more, than the financial crimes cases like Enron and MCI, which led to the Sarbanes-Oxley regulation.
Although the NYSDFS required non-technical company executives at financial services organizations to sign off on the organization’s Cybersecurity risk posture, the SEC’s charges specifically link the deficiency in controls to the investment disclosures made by senior executives. This enforcement action, which includes a cease-and-desist order, should concern every board and management executive at Financial Services companies.
When talking with our CEO, Vikas Bhatia said, “When 23NYCRR500 was released I realized that only the largest Financial Services companies would have the capability and motivation to meet their requirements. The enforcement specifically highlights the Cybersecurity risk management challenges faced by mid-sized organizations which include a lack of transparency to Senior Management, the siloed and compliance focused nature processes of as well as the inefficiencies related to the conducting, reporting of risks once assessed.”
Key takeaway: To avoid substantial regulatory and civil claims, fines, and penalties, public companies must re-enforce their cybersecurity risk management systems. Companies need to mitigate the siloed processes and the inefficiencies related to the conducting and reporting of risks once assessed.
Schedule a time to talk with Vikas to discuss more on how companies, like yours, can better manage cybersecurity risk and avoid these penalties.