First American Financial Corporation has settled SEC allegations of disclosure controls and procedures violations related to a cyber-security vulnerability that exposed sensitive customer information.
According to an SEC filing, the enforcement involves First American’s EaglePro application for sharing document images related to title and escrow transactions. The SEC says the Santa Ana, California-based company failed to maintain disclosure controls and procedures to ensure that all available relevant information concerning the vulnerability was analyzed before being disclosed in reports filed with the agency.
The SEC says that on the morning of May 24, 2019, a journalist notified First American that its application had a vulnerability exposing more than 800 mn title and escrow document images going back to 2003, including images featuring sensitive personal data such as social security numbers and financial information.
In response, First American issued a statement for inclusion in the reporter’s article published that evening, saying: ‘First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application.’
The company then filed a Form 8K on May 28, 2019, the next trading day, the SEC says. The associated press release stated that there was ‘[n]o preliminary indication of large-scale unauthorized access to customer information’ and that the company had shut down external access to the area with the reported design defect.
But the SEC says senior executives responsible for the press statement and Form 8K were not given certain information about the company’s information security personnel’s prior knowledge of a vulnerability associated with the EaglePro system before making those statements.
This information would have been relevant to management’s assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk, according to the agency. In particular, it alleges, First American’s senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier in manual penetration tests of EaglePro, or that the company had failed to remediate the vulnerability in accordance with its policies.
First American did not maintain disclosure controls and procedures designed to ensure senior management had this information before making disclosures about the vulnerability, the SEC says.
‘As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,’ Kristina Littman, chief of the SEC enforcement division’s cyber unit, says in a statement. ‘Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.’
First American settled the action without admitting or denying wrongdoing. It agreed to pay a $487,616 penalty.
A company spokesperson says in a statement: ‘We’re pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements.’ First American notes the settlement in a Form 8K filing.