On December 16, 2024, the Securities and Exchange Commission announced that it reached a settlement with Flagstar Bancorp, Inc., now known as “Flagstar Financial, Inc.” to resolve allegations that the company made materially misleading statements regarding a cyberattack on its Citrix environment, which occurred between November 22, 2021 and December 25, 2021 (the “Citrix Breach”), and for failing to maintain adequate cybersecurity-related disclosure controls and procedures. This settlement follows SEC enforcement actions against four companies with similar offenses in October 2024.
According to the SEC’s order, the Citrix Breach was the result of an illicit actor deploying ransomware that encrypted approximately 30 percent of Flagstar’s work stations and servers, resulting in network disruptions and the theft of approximately 1.5 million individuals’ personally identifiable information (“PII”). In March 2022, Flagstar filed its Form 10-K in which it stated that cyberattacks “may interrupt our business or compromise the sensitive data of our customers,” but did not disclose that a cyberattack had actually occurred and had resulted in network disruptions and the exfiltration of PII from its network. Thereafter, in a June 2022 notice on its website to customers and in an August 2022 Form 10-Q filed with the SEC, Flagstar purportedly made misleading statements regarding the scope of the Citrix Breach by reporting that an unauthorized “access” of its network and customer data had occurred, again without revealing that several of its network systems were disrupted and that customer PII had been stolen. The SEC also determined that Flagstar’s disclosure controls and procedures concerning cybersecurity incidents failed to comply with requirements in the Securities Exchange Act of 1934 (“Exchange Act”).
According to the order, the SEC found that Flagstar’s actions violated Section 17(a)(2) of the Securities Act of 1933 and Section 13(a) of the Exchange Act as well as Rules 12b-20, 13a-1, 13a-13 and 13a-15 thereunder. The SEC agreed to resolve the charges against Flagstar by entering into a settlement in which the company consented to the entry of a cease-and-desist order without admitting or denying the SEC’s findings. The SEC also ordered Flagstar to pay a $3.55 million civil money penalty.