The U.S. Securities and Exchange Commission (SEC) recently announced civil monetary penalties and a cease-and-desist order against First American Financial Corporation (FAFC) for deficient disclosure controls and procedures related to cybersecurity risks.
FAFC provides title insurance policies for residential and commercial real estate and closing and escrow services. On May 24, 2019, a cybersecurity journalist notified the organization that "its web application for sharing document images related to title and escrow transactions had a cybersecurity vulnerability that exposed sensitive personal information from more than 800 million documents from real estate transactions, including bank account numbers, mortgage and tax records, Social Security numbers, wire transactions receipts and drivers' licenses images."
The journalist published the discovery after FAFC shut down external access to the web application.
On May 28, 2019, FAFC filed a Form 8-K and press release with the SEC about the vulnerability. However, the senior executives who filed the information did not know that FAFC information security personnel had known about the vulnerability for months and failed to remedy the issue or communicate it to senior information security management.
In addition, the FAFC's chief information security officer and chief information officer had subsequently learned that information security personnel knew about the vulnerability but did not tell FAFC's senior executives responsible for the Form 8-K disclosure.
The SEC determined that FAFC violated Rule 13a-15(a) of the Securities Exchange Act of 1934 by failing to maintain disclosure controls and procedures to ensure the timely and accurate reporting of required information to the SEC. The chief of the SEC Enforcement Division's Cyber Unit stated that insurers "must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures."
Although the SEC has warned of possible action for nearly a decade, this enforcement action is the first finding of a violation under Rule 13a-15(a) with respect to cybersecurity risk disclosure controls and procedures. In 2018, the SEC updated its initial 2011 guidance to stress "'the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents' in order to ensure that relevant information about cybersecurity risks and incidents is processed and reported up the corporate ladder to enable senior management to make accurate disclosures and related certifications."
The SEC announced a settlement with FAFC on June 15, 2021, requiring the organization to pay a civil penalty of $487,616 and comply with a cease-and-desist order.
In addition, the New York State Department of Financial Services (NYSDFS) issued the first charges ever for violating its Cybersecurity Regulations against FAFC on July 22, 2020. Each instance of nonpublic information in the 800 million exposed documents carries a penalty of up to $1,000.
The NYSDFS action contributed to a shareholders' derivative suit against FAFC and its board of directors. FAFC also reportedly faces several consumer class-action lawsuits. Shardul Desai and Ira Rosner "SEC Issues First-Even Penalties for Deficient Cybersecurity Risk Controls" jdsupra.com (Jun. 23, 2021).