On June 15, 2021, the SEC announced it settled charges against real estate services company First American Financial Corporation (“First American”) for alleged violation of Rule 13a-15(a) of the Exchange Act. The SEC charged First American with failure to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning a software vulnerability that led to a cybersecurity incident was filed with the Commission.
On May 24, 2019, a cybersecurity journalist notified First American of a vulnerability in its document transmission software that had exposed over 800 million title and escrow document images containing sensitive personal data, such as Social Security numbers and financial information. The vulnerability allowed access to confidential documents without authorization in the event digits in URLs linking to personal files were altered. In addition, the lack of password protection on certain documents allowed publicly available search engines to cache documents shared via the software.
In response to the journalist’s notice, First American issued a statement and filed a Form 8-K with the SEC. According to the SEC, however, the senior executives responsible for these disclosures lacked information to fully evaluate the company’s cybersecurity responsiveness and the risk from the vulnerability at the time they approved the company’s disclosures. Specifically, the SEC found that the information security staff at First American had discovered the vulnerability months before receiving the journalist’s notice but that (i) the company failed to remediate the defect according to its own vulnerability remediation management policies and (ii) relevant personnel did not inform senior executives responsible for disclosures about these facts until after the company furnished a Form 8-K to the Commission.
The Chief of the SEC Enforcement Division’s Cyber Unit, Kristina Littman, noted, “As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
First American agreed to cease and desist from committing or causing future violations of Exchange Act Rule 13a-15 and to pay a civil money penalty of $487,616.