SEC Caps 2024 with Another Cyber Enforcement Action

The SEC continues to leave its mark as a federal cybersecurity enforcer and closed out the year by charging another company with making misleading statements about a cybersecurity attack and failing to maintain cyber-related disclosure controls and procedures. In December 2024, Flagstar Bancorp, Inc., now known as Flagstar Financial, Inc. (the “Bank”) settled a $3,550,000 SEC administrative enforcement action, on a neither admit nor deny basis, stemming from a cyberattack in late 2021.

Key Takeaways

The SEC’s aggressive focus on cyber-related risk disclosures as the basis for securities fraud charges continues. Despite the dismissal of its risk disclosure-based claims in the SolarWinds litigation, as discussed in our July 2024 client alert, the SEC continues to allege that hypothetical risk disclosures when the event has actually occurred can form the basis for securities fraud charges.  Although there was some hope that the Supreme Court would provide clarity on hypothetical risk disclosures in the private securities litigation context, the Court declined to issue an opinion in Facebook, Inc. v. Amalgamated Bank after granting certiorari and holding oral argument, as we noted in our January 2025 newsletter.

The SEC has put companies on alert that public customer notifications can form the basis for securities fraud liability. This matter serves as a reminder that all specific, public statements concerning a cyber incident must be complete, accurate, and precise. The Bank posted a customer notice that the breach resulted in unauthorized access to its network, but the SEC found this insufficient in light of the fact that the threat actor exfiltrated customer personally identifiable information.

Cybersecurity-related disclosure controls and procedures continue to receive SEC scrutiny. This settlement marks the latest shot in the SEC’s aggressive controls-focused enforcement. Unlike in other SEC cyber enforcement settlements, the Bank’s disclosure decision-makers received regular updates on the incident but the SEC quibbled with what it felt were allegedly deficient cyber policies. Specifically, the SEC based its allegations on lack of guidance in the policies on what factors should be considered from a materiality perspective. The SEC’s cybersecurity disclosure rules for public companies require companies to consider quantitative and qualitative factors in assessing materiality, though the agency noted in a May 2024 statement that there could be cybersecurity incidents that are “so significant” that a company determines to be material even when the company has not determined the reasonably likely impact of the incident.

Overview of the SEC’s Allegations

According to the SEC’s order, a threat actor attacked the Bank’s network between November and December 2021 and deployed ransomware that encrypted approximately 30% of the Bank’s workstations and servers and caused network disruptions. The threat actor then allegedly exfiltrated the personally identifiable information of approximately 1.5 million individuals, including customers, from its network.

In response, the Bank engaged third-party experts and conducted a forensic investigation with its Crisis Management Team, completing its review in early June 2022. In March 2022, the Bank wrote in its Form 10-K that cyberattacks “may interrupt our business or compromise the sensitive data of our customers,” without noting that a cyberattack had actually occurred. Later in June 2022, the Bank published a notice on its website to customers regarding the steps it took to respond to the breach but did not include details regarding the scope or consequences of the breach. In its August 2022 Form 10-Q, the Bank indicated that it had “recently” experienced a cyber incident.

In deciding to bring charges under Section 17(a)(2) of the Securities Act of 1933, the SEC alleged that the Bank’s March 2022 Form 10-K risk disclosures omitted materially misleading information by presenting the risk of a cyber incident in the hypothetical and mirroring language from its 2020 Form 10-K. As for the June 2022 customer notice and the August 2022 Form 10-Q, the SEC alleged that these statements were misleading for minimizing the scope and timeframe of the breach. The SEC also brought charges under Section 13(a) of the Exchange Act of 1934 as well as Rules 12b-20, 13a-1, and 13a-13 thereunder.

As to the controls violations, the SEC levied an Exchange Act Rule 13a-15a charge and alleged that the Bank’s cybersecurity disclosure controls and procedures did not contain adequate guidance on the necessary factors to consider for assessing materiality, leading to its failure to evaluate and communicate relevant information about the breach to disclosure decision-makers.