Flagstar Bank must pay $3.5 million to the Securities and Exchange Commission for making allegedly misleading statements about a 2021 cyberattack, the agency said this week.

After a hacker gained access to Flagstar’s Citrix environment in late 2021 and stole personally identifiable information of 1.5 million customers, Flagstar “negligently made” materially misleading statements on its website and in financial filings, according to the SEC.

In its 2021 Form 10-K filed March 1, 2022, Flagstar said cyberattacks “may interrupt our business or compromise the sensitive data of our customers,” but the bank did not disclose that it had already experienced such attacks that resulted in a customer data leak and interruptions to its mortgage origination business, according to the SEC order.

The commission also found that in a June 17, 2022, notice to customers and an August 9, 2022, securities filing, the bank made misleading statements regarding the scope of the Citrix breach.

Flagstar also failed to maintain disclosure controls and procedures that would have ensured the bank was ready with all relevant information to make required disclosures.

Flagstar neither admitted nor denied the commission’s allegations, but it consented to the $3.5 million penalty and a cease-and-desist order barring it from making misleading statements in the future.

“We are pleased to have resolved the SEC matter. We remain committed to our compliance and regulatory obligations,” a Flagstar spokesperson said in an emailed statement.

The cyberattack was the bank’s second of 2021, after bad actors took advantage of a flaw in Accellion’s File Transfer Appliance software, which Flagstar was using to protect sensitive information.

Flagstar also fell victim to the 2023 breach of file transfer system MOVEIt, which affected about 837,390 Flagstar customers and more than 2,000 organizations.