In a June 14, 2021, Settlement Order[1] (the “Order”), the Securities and Exchange Commission (“SEC”) alleged certain cybersecurity disclosure controls failures at First American Financial Corporation (“FAFC”).
Without admitting or denying the SEC’s findings, FAFC agreed to (1) cease and desist from further violations of SEC Exchange Act Rule 13a-15(a); and (2) pay a $487,616 penalty. Rule 13a-15(a) mandates that every issuer of a security registered pursuant to Section 12 of the Exchange Act must maintain disclosure controls and procedures to ensure that information the issuer must disclose in reports it files or submits pursuant to the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the SEC’s rules and forms. FAFC provides products and services in connection with residential and commercial real estate transactions, including title insurance and escrow services. In connection with that business, FAFC issues common stock registered with the SEC pursuant to 12(b) of the Exchange Act. Many months before this SEC action arose, FAFC’s IT security personnel had identified a computer system vulnerability that they failed to remedy in accordance with the company’s policies, and about which they failed to inform the company’s senior management.
On May 24, 2019, a cybersecurity journalist notified FAFC that its “EaglePro” application for sharing document images related to title and escrow transactions had a cybersecurity vulnerability. The vulnerability exposed over 800 million title and escrow document images dating back to 2003. These images included Personal Identifiable Information (“PII”) such as social security numbers and financial information. In response to this notification, FAFC issued the following statement to the journalist: “First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application.” The journalist quoted this statement verbatim in his cybersecurity blog report published on the evening of May 24, 2019.[2]
FAFC then furnished a Form 8-K to the SEC on May 28, 2019, attaching an additional press release stating, in part, that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.” The press release also stated: “First American Financial Corporation advises that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data.”
The June 2021 SEC Order arose in part because FAFC’s senior executives responsible for the press statement and Form 8-K were not apprised of certain information concerning the company’s information security personnel’s prior knowledge of a vulnerability associated with FAFC’s EaglePro system before making those statements – information that would have been relevant to management’s assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk. In particular, FAFC’s senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier in a January 2019 manual penetration test of the EaglePro application (“January 2019 Report”), or that the company had failed to remediate the vulnerability in accordance with its policies. As discussed in the Order, FAFC did not maintain disclosure controls and procedures designed to ensure that senior management had this relevant information about the January 2019 Report prior to issuing the company’s disclosures about the vulnerability.
As evidenced by the FAFC Order, and several additional recent enforcement actions, the SEC is viewing cybersecurity threats to businesses subject to SEC rules as a growing business risk. One such enforcement action concerned Pearson plc, a London-based public company listed on the New York Stock Exchange (with Pearson’s ordinary shares registered under Section 12(b) of the Exchange Act). In August 2021, Pearson agreed to pay $1 million to settle charges that it misled investors about a 2018 data breach involving the theft of millions of student records, including dates of births and email addresses, and lacked adequate disclosure controls and procedures.[3]
Other recent SEC enforcement actions include sanctions against eight firms in three actions filed August 30, 2021, “for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.” The eight firms, which have agreed to settle the charges, are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities) – $300,000 penalty; Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge) – $250,000 penalty; and KMS Financial Services Inc. – $200,000 penalty. All were Commission-registered as broker dealers, investment advisory firms, or both. Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, is quoted[4] as saying, “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information…. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Collectively, these SEC enforcement actions underscore the importance of a business:
- Having appropriate privacy and cybersecurity policies;
- Educating/training employees about these policies;
- Ensuring the business’s contracting practices contain appropriate provisions consistent with these policies; and
- Conducting periodic legal audits for compliance to these policies.
The FAFC Order also highlights the importance of executives maintaining an awareness of all material internal and external communications of the privacy and cybersecurity threats facing the business, and providing leadership from the top as to the importance of privacy and cybersecurity issues to the business’s risk management.
© 2021 Alan S. Wernick and Aronberg Goldgehn.
[1] In re First American Financial Corporation, SEC Admin. Proceeding No. 3-20367 (SEC Order, June 14, 2021) –https://www.sec.gov/litigation/admin/2021/34-92176.pdf.
[2] “First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records” (KrebsOnSecurity Blog Post, May 24, 2019) – https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/.
[3] “SEC Charges Pearson plc for Misleading Investors About Cyber Breach” (SEC Press Release, August 16, 2021) – https://www.sec.gov/news/press-release/2021-154.
[4] “SEC Announces Three Actions Charging Deficient Cybersecurity Procedures” (SEC Press Release, August 30, 2021) – https://www.sec.gov/news/press-release/2021-169.
