On June 15, 2021, the SEC reported this. settled charges against real estate services company First American Financial Corporation (“First American”) for alleged violation of rule 13a-15 (a) of the Exchange Act. The Securities and Exchange Commission has accused First American of failing to comply with controls and disclosure procedures to ensure that all available and up-to-date information about the software vulnerability that led to the cybersecurity incident is submitted to the Commission.
On May 24, 2019, a cybersecurity journalist notified First American of a vulnerability in its document transfer software, resulting in the discovery of more than 800 million images of title and symbol documents containing sensitive personal information such as social security numbers and financial information. … The vulnerability could allow access to confidential documents without authorization if the digits in the URLs linking to personal files were changed. In addition, the lack of password protection for some documents allowed public search engines to cache documents transmitted through the software.
In response to a journalist’s notice, First American issued a statement and filed Form 8-K with the SEC. However, according to the SEC, senior management responsible for the disclosure did not have the information to fully assess the company’s cybersecurity response and vulnerability risk at the time they approved the company’s disclosure. Specifically, the Securities and Exchange Commission found that First American’s cybersecurity staff had discovered the vulnerability months before being notified by the journalist, but that (i) the company was unable to fix the defect in accordance with its own vulnerability remediation management policy, and (ii ) the relevant staff did it. not disclose these facts to senior disclosure officers until the company has submitted Form 8-K to the Commission.
Christina Littman, Chief of Cybersecurity at the SEC, noted: “As a result of First American’s lack of oversight of disclosure, senior management was unaware of this vulnerability and the company’s inability to fix it. Issuers must ensure that information important to investors is passed up the corporate ladder to those responsible for disclosure. ”
First American agreed to cease and refrain from committing or causing future violations of Rule 13a-15 of the Foreign Exchange Act and pay a civil fine of $ 487,616.
Copyright © 2021, Hunton Andrews Kurth LLP. All rights reserved.Review of National Legislation, Volume XI, Number 181