[BreachExchange] SEC Settles With First American Financial Over Cybersecurity Disclosure Control Failures

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Jun 17 11:51:50 EDT 2021 

https://lawstreetmedia.com/tech/sec-settles-with-first-american-financial-over-cybersecurity-disclosure-control-failures/

According to a press release issued on Tuesday, the Securities and Exchange
Commission (SEC) charged a real estate settlement services company with
failure to properly publicize a data breach that exposed thousands of
sensitive records in violation of provisions in the Exchange Act. For its
alleged lapses, First American Financial agreed to a cease-and-desist order
and to a penalty of  $487,616.

In its June 14 order, the SEC explained that in May 2019, a cybersecurity
journalist notified First American of a vulnerability in its application
for title and escrow transactions. The flaw exposed hundreds of millions of
title and escrow document images dating back to 2003, including images
containing personal data such as social security numbers and financial
information, the order stated.

Shortly thereafter, First American issued a statement concerning the breach
and addressed it in regulatory filings. The SEC alleged that the company
failed to notify senior executives that the flaw had been uncovered months
before by the internal security team during penetration testing. However,
no action was taken as a result of the January 2019 report, in violation of
First American policies.

In turn, First American “failed to maintain disclosure controls and
procedures designed to ensure that all available, relevant information
concerning the vulnerability was analyzed for disclosure in the company’s
public reports filed with the Commission,” the order stated.

Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit
commented on the proceeding. “As a result of First American’s deficient
disclosure controls, senior management was completely unaware of this
vulnerability and the company’s failure to remediate it. Issuers must
ensure that information important to investors is reported up the corporate
ladder to those responsible for disclosures,” she said in a statement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210617/7f727162/attachment.html>

More information about the BreachExchange mailing list