Tag Archives: John Evangelakos

SEC Charges Issuer for Inadequate Cybersecurity Disclosure Controls: Action Suggests a More Active SEC Enforcement Role Concerning Disclosure Controls and Procedures for Cybersecurity

by Cathy Clarkin, Bob Downes, John Evangelakos, Nicole Friedlander, Tony Lewis, Sarah Payne, Steve Peikin, Kamil Shields and Rebecca Sobel

On June 15, 2021, the Securities and Exchange Commission (“SEC”) announced charges against First American Financial Corporation (“First American”) for failure to maintain adequate disclosure controls and procedures in violation of Exchange Act Rule 13a-15(a).[1]  The charges, which were simultaneously settled pursuant to a cease-and-desist order (the “Order”) imposing a $487,616 civil money penalty, related to a vulnerability in First American’s proprietary software application that caused tens of millions of document images—many containing consumers’ personal information—to be publicly accessible.  After being notified by a journalist about the vulnerability on May 24, 2019, First American issued a press release and subsequently filed a Form 8-K with the SEC.  According to the Order, however, the senior executives responsible for these disclosures were not informed prior to the time the disclosures were made that certain First American personnel had longstanding prior knowledge of the vulnerability, and that the vulnerability had not been remediated in accordance with the company’s policies.  In light of the action—and increased scrutiny by U.S. authorities concerning cybersecurity in the wake of nationally significant ransomware attacks and cyberattacks involving SolarWinds and Microsoft software—issuers should review and confirm the efficacy of their disclosure controls and procedures for analyzing and escalating key information about cybersecurity incidents and vulnerabilities.

Continue reading

SEC Issues Report of Investigation on Cyber-Related Frauds Perpetrated Against Public Companies

by Robert W. Downes, John Evangelakos, Nader A. Mousavi, Nicole Friedlander, and Sarah M. Cravens

Public Companies Should Implement Sufficient Internal Controls to Avoid Becoming Victims of Cyber-Related Frauds and to Comply With the Exchange Act

Summary

On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.

The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.

While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should reassess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls. Continue reading