The Securities and Exchange Commission announced last week a cybersecurity violation by title insurance giant First American Financial Corp. after the company learned of a breach that exposed customer social security numbers and sensitive financial information, yet failed to act.
First American agreed to a cease-and-desist order and will pay a $487,616 penalty.
Per the SEC, First American in 2019 was notified by Brian Krebs, a cybersecurity journalist, of a data exposure that led to the sharing of the images dating back to 2003 — including 800 million images, some of which contained customer social security numbers and confidential financial information.
In response, First American issued a press statement and furnished a Form 8-K, but the SEC determined that the senior executives responsible for the public statements were “not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.”
The SEC also found First American’s senior executives to be uninformed of the the vulnerability and had failed to remediate it in accordance with the company’s policies.
HousingWire Editor in Chief Sarah Wheeler recently spoke with SimpleNexus co-founder Ben Miller about how to choose mortgage technology that improves the user experience.
Presented by: SimpleNexus
“First American’s senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
Per the SEC, the data exposure was classified as a “level 3” security issue, meaning it required remediation within 45 days. However, a clerical error led to the issue being entered as a “level 2” security issue, which requires remediation within 90 days.
If the person responsible for fixing the issue is unable to do so based on the aforementioned timeframes, the employee must have their supervisors contact the company’s information security department to discuss a remediation plan and proposed time estimate.
In laymans terms: a First American employee did not request a waiver or risk acceptance, the SEC said.
“If it is not technically possible to remediate the vulnerability, or if remediation is cost prohibitive, the employee and their management must contact [SEC’s Information Security division] to obtain a waiver or risk acceptance approval,” the SEC said in a statement.
The company said in 2019 that an independent investigation into the data exposure identified 32 consumers whose personal information likely was accessed without authorization, First American said in a regulatory filing in August 2019.
“We’re pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements,” First American said in a statement.
First American is the second-largest mortgage title and settlement company in the U.S., handling nearly a quarter of all closings each year. It derives nearly 92% of its revenue from its title insurance segment, according to the SEC.
The company reported $7.1 billion in total revenue in 2020 in its annual earnings report — a 14% rise year over year, according to officials. Net income was $696.4 million, or $6.16 per diluted share, and a pretax impairment of $54.9 million, or 45 cents per diluted share. First American also announced a total of $1.1 billion in cash flow operations in 2020, a return on equity of 14.9%, and a 15.7% segment pretax margin of title insurance and services.