SEC Issues $1M Fine for Failure to Disclose Breach Information
On August 16, the U.S. Security and Exchange Commission (SEC) announced that it issued a $1M fine against a London-based public limited company for providing misleading information regarding a breach it suffered. The fine stems from the company’s failure to adequately inform investors and the public of a 2018 cyberattack it suffered in which millions of records containing student and administrator personally identifiable information (PII) were exfiltrated by cybercriminals.
Per the SEC press release, the company suffered the data breach in 2018, however in its 2019 report, the firm described data privacy incidents as merely a hypothetical risk, and failed to disclose the actual occurrence. Further, the company falsely claimed that protections were in place for the exploited vulnerability, though it was actually left unpatched. The company only disclosed the breach when it was confronted by the media, and even then, understated the scope of the incident.
While not admitting guilt, the company has agreed to pay the $1M fine.
The SEC fine serves a warning for companies to not only protect themselves against cyber incidents, but to fully disclose information about cyberattacks if they occur. Per Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit “public companies … must provide accurate information to investors about material cyber incidents.”
This is not the first time the SEC has issued fines for non-disclosure. As reported, the SEC issued a $500,000 fine in 2019 against a real estate firm, and reached a $35 million settlement in 2018 with a tech company for failure to tell investors about a data breach.
This SEC fine for non-disclosure likewise sends a clear signal to private equity firms of the need for full reporting of breaches and other cybersecurity incidents.
How we help
ACA Aponix® offers the following solutions that can help your firm stay in compliance with federal and state regulatory requirements, and enhance its cybersecurity in general.
- Threat intelligence, phishing testing and monitoring
- Risk assessments and regulatory compliance testing services
- Operational resilience and governance
- Incident response
- Tabletop exercises
Download our Aponix Protect™ cybersecurity solution brochure.
If you have any questions, please contact your ACA Aponix consultant or contact us here.