17-Jun-2021 - The Securities and Exchange Commission (SEC) has announced a settlement with First American Financial Corporation relating to inadequate cybersecurity disclosure controls and procedures. The deficient controls failed to inform senior management about ongoing cybersecurity vulnerabilities and remediation failures, causing them to issue misleading public statements and SEC filings about the company’s cybersecurity risk.
On June 15, 2021, the US Securities and Exchange Commission (SEC) issued a press release announcing a $487,000 settlement with real estate settlement services company First American Financial Corporation relating to a cybersecurity vulnerability that exposed nonpublic customer personal information. The settlement highlights the importance of correctly implemented vulnerability controls to help prevent data breaches and meet compliance obligations.
According to the SEC, a journalist notified First American on May 24, 2019 that a vulnerability in its proprietary document sharing application had exposed over 800 million documents from real estate transactions dating back to 2013, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers' license images.
The SEC charged the company with violating Exchange Act Rule 13a-15(a) (17 CFR § 240.13a-15), alleging that the company's lack of cybersecurity disclosure controls and procedures deprived senior executives of necessary information to accurately analyze the company's cybersecurity responsiveness and risk when it issued its press statement on May 24, 2019 and filed its Form 8-K with the SEC on May 28, 2019.
Specifically, the SEC found that:
First American's information security team identified the vulnerability months earlier during penetration testing and issued a report in January 2019 that:
noted the vulnerability had existed since 2014; and
characterized it as a serious risk that required remediation within 45 days.
A First American employee erroneously input the vulnerability as a low risk in the company's vulnerability remediation management tracking system, which directed a 90-day remediation deadline.
First American did not remediate the vulnerability until May 24, 2019.
First American's Chief Information Security Officer and other executives, including those that furnished the Form 8-K, learned about the vulnerability and the remediation failure for the first time in May 2019.
First American did not admit or deny the findings and agreed to a cease-and-desist order and to pay a $487,616 penalty.
The underlying incident was the subject of the New York Department of Financial Services’ first enforcement proceeding under its Cybersecurity Requirements for Financial Services Companies regulation (23 NYCRR §§ 500.0 to 500.23). For more on this proceeding, see Article, Expert Q&A on Lessons Learned from the First NYDFS Cybersecurity Enforcement Action.
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Practical Law is owned by Thomson Reuters and operates independently of Reuters News.