Last week, the Securities and Exchange Commission announced the resolution of charges against First American Financial Corporation alleging lax cybersecurity controls and procedures, with the federal agency levying a $487,616 penalty.
The charges relate to a cybersecurity vulnerability in First American’s “EaglePro” application for sharing document images related to title and escrow transactions—a vulnerability that reportedly exposed 885 million files, the earliest dating back to 2003.
The insurer was apprised of the vulnerability on May 24, 2019 by a journalist writing about cybersecurity, and senior executives responded to the journalist—and in an 8-K SEC filing four days later—stating that external access to the application that created unauthorized access to customer data was being shut down.
While those executive actions seemed quick, it turned out that other people within First American already knew about the vulnerability in January, when information security identified a “serious” or level “3” vulnerability in the EaglePro application.
Under First American’s vulnerability remediation management policies, a vulnerability with a level 3 severity was categorized as “medium risk” and required remediation within 45 days. But instead of recording the vulnerability as a level 3 severity, the vulnerability was erroneously input as
a level “2” or “low risk” severity in First American’s automated VRM tracking system—the result of a clerical error—meaning that it would require remediation within 90 days.
According to the SEC, First American’s chief information security officer didn’t learn about the January discovery and the lack of remediation until May 24, and the chief information was apprised a day later, on May 25, 2019.
“The company’s senior executives responsible for the disclosures”—the CEO and CFO—”were not made aware about these facts prior to the company releasing its statement to the press on May 24, 2019 or furnishing the Form 8-K on May 28, 2019….. Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months,” the SEC said last week, explaining the impetus for the penalty.
Along with the penalty, the SEC also ordered First American to cease and desist from committing or causing any violations and any future violations of Exchange Act Rule 13a-15, which requires issuers to maintain disclosure controls and procedures.
“Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures,” Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit said, in a media statement.
In October 2020, AM Best commented that First American’s A (excellent) rating was unaffected by a September 2020 disclosure of First American’s receipt of a Wells Notice from the SEC enforcement staff looking into the May 2019 cybersecurity incident and the adequacy of disclosure controls.
The SEC announcement last week revealed assistance with its investigation from the New York State Department of Financial Services, which filed its own charges against First American in July 2020. The New York regulator’s action against the title insurer was the first it filed under DFS’ cybersecurity regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations, which went into effect in March 2017.
In 2019, First American wrote more than 50,000 policies in New York state, according to a DFS July 22, 2020 press release.
Recently, DFS announced a cybersecurity settlement of its own, ordering National Securities Corporation, a licensed insurance company selling life, accident and health insurance, and variable annuities insurance, to pay $3 million finding that the company failed to implement multi-factor authentication. The Department’s investigation found that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by its cybersecurity regulation.