SEC Settles With First American Financial Over Cybersecurity Disclosure Control Failures

According to a press release issued on Tuesday, the Securities and Exchange Commission (SEC) charged a real estate settlement services company with failure to properly publicize a data breach that exposed thousands of sensitive records in violation of provisions in the Exchange Act. For its alleged lapses, First American Financial agreed to a cease-and-desist order and to a penalty of  $487,616.

In its June 14 order, the SEC explained that in May 2019, a cybersecurity journalist notified First American of a vulnerability in its application for title and escrow transactions. The flaw exposed hundreds of millions of title and escrow document images dating back to 2003, including images containing personal data such as social security numbers and financial information, the order stated. 

Shortly thereafter, First American issued a statement concerning the breach and addressed it in regulatory filings. The SEC alleged that the company failed to notify senior executives that the flaw had been uncovered months before by the internal security team during penetration testing. However, no action was taken as a result of the January 2019 report, in violation of First American policies.

In turn, First American “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission,” the order stated.

Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit commented on the proceeding. “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures,” she said in a statement.