According to the SEC’s order, the agency found that Flagstar released misleading statements regarding a 2021 cybersecurity attack on its network, named the Citrix Breach, which caused encryption of data, network disruptions, and the exfiltration of the personally identifying information (PII) of nearly 1.5 million individuals, including its users.
The SEC underlined that the risk factors in Flagstar’s 2021 Form 10-K, filed on 1 March 2022, underlined that cybersecurity attacks may interrupt the company’s business or compromise the sensitive data of customers. However, Flagstar did not disclose that it had already gone through cybersecurity attacks leading to the exfiltration of sensitive information and that the Citrix Breach, in fact, interrupted its business.
Furthermore, the SEC’s order highlighted that in a 17 June 2022 notice to customers released on Flagstar’s website and a Form 10-Q filed on 9 August 2022, the company further deceived customers regarding the scope of the Citrix Breach. At that time, Flagstar mentioned that there was unauthorised access to its network and customer data, however, the company knew that the breach caused several issues on its network systems and that customer PII was exfiltrated. Additionally, the agency found that Flagstar did not maintain disclosed controls and processes concerning cybersecurity incidents developed to ensure that relevant details to evaluate materiality were thought by disclosure decision-makers to enable timely verdicts about possibly demanded disclosure.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now