First American Financial Corp. on Tuesday reached a $487,616 settlement with the Securities and Exchange Commission (SEC) for failing to maintain cyber-security disclosure controls and procedures that exposed more than 800 million title insurance records containing sensitive customer information.
Cyber-security journalist Brian Krebs first reported the leak in May 2019, when a real estate developer notified him of the security vulnerability after getting no response from the company. The vulnerability “exposed approximately 885 million files, the earliest dating back more than 16 years,” Krebs wrote.
“The digitized records—including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images—were available without authentication to anyone with a Web browser,” Krebs added.
In response, First American issued a statement acknowledging the “design defect in an application that made possible unauthorized access to customer data.” The company added it “took immediate action to address the situation and shut down external access to the application.”
First American issued a Form 8-K four days later.
According to the SEC, First American’s senior executives responsible for these public statements were “not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” The executives were unaware information security personnel at the company had identified the vulnerability in January 2019 and failed to remediate it, the SEC explained in its order.
Compliance message: The SEC found First American failed to maintain controls and procedures designed to ensure all relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.
“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
In a related matter, First American Title Insurance Company in July 2020 became the first firm to face charges alleging violations of the New York State Department of Financial Services’ Cybersecurity Regulation, which requires banks, insurance companies, and other NYDFS-regulated financial services institutions to establish and maintain a cyber-security program designed to protect consumers and ensure the safety and soundness of the financial services industry.