SEC Settles Charges Against Flagstar for Misleading Actions

The Securities and Exchange Commission recently settled charges against Flagstar Bancorp, Inc., now known as Flagstar Financial, Inc. The charges were related to misleading statements made about a cybersecurity attack on Flagstar’s network in late 2021, known as the Citrix Breach. This breach led to various consequences, including data encryption, network disruptions, and the exfiltration of personally identifiable information of around 1.5 million individuals, including customers.

The SEC’s investigation found that Flagstar had made materially misleading statements about the Citrix Breach in its 2021 Form 10-K, which was filed on March 1, 2022, by not disclosing previous cybersecurity attacks that led to the exfiltration of sensitive customer data. Additionally, Flagstar failed to disclose that the breach disrupted its network systems. In subsequent communications, Flagstar continued to make misleading statements about the scope of the breach and the unauthorized access to its network and customer data, despite being aware of the exfiltration of data.

Flagstar was found to violate certain sections of the Securities Act of 1933 and the Securities Exchange Act of 1934. Without admitting or denying the findings, Flagstar agreed to cease and desist from further violations and pay a $3.55 million civil money penalty. The SEC’s investigation was conducted by a team of experts from different regional offices, and trial attorneys assisted in the matter.

This settlement serves as a reminder of the importance of transparent and accurate disclosures by companies, especially when it comes to cybersecurity incidents. The SEC’s action against Flagstar highlights the consequences of misleading investors and failing to disclose material information related to data breaches. Investors and customers rely on such disclosures to make informed decisions, and companies have a responsibility to provide accurate and timely information to protect their interests.