WASHINGTON—The U.S. Securities and Exchange Commission (SEC) has launched what one report is calling a “salvo across the bows of public companies” with its civil monetary penalties and a cease-and-desist order against First American Financial Corporation (FAFC) for deficient disclosure controls and procedures related to cybersecurity risks.
“Combined with the New York State Department of Financial Services' (NYSDFS) first-ever charges for violating the NYSDFS' Cybersecurity Regulations, FAFC has been battling regulators on multiple fronts for the same cybersecurity risk management failure. In addition to the regulatory front, the NYSDFS action formed the basis of a shareholders' derivative suit against FAFC and its board of directors, as well as a number of purported consumer class-action lawsuits,” JD Supra stated, adding the warning bells and the grace periods appear to be over as the SEC and NYSDFS are now using their enforcement powers to ensure that companies implement robust cybersecurity risk management systems.
“With cyberattacks ever present and constantly evolving, it is only a matter of time that a company's cybersecurity risk management efforts and related controls, as well as corporate governance, will be exposed to regulatory scrutiny,” JD Supra stated. “To avoid substantial monetary penalties and other sanctions, companies need to develop comprehensive cybersecurity risk management standards and to test and upgrade their effectiveness regularly.”
Journalist Flagged Issue
FAFC provides title insurance policies on residential and commercial real estate properties as well as closing and escrow services. The report notes that on May 24, 2019, a cybersecurity journalist notified FAFC's investor relations personnel that its web application for sharing document images related to title and escrow transactions had a cybersecurity vulnerability that exposed sensitive personal information from more than 800-million documents from real estate transactions, including bank account numbers, mortgage and tax records, Social Security numbers, wire transactions receipts and drivers' licenses images.
After FAFC shut down external access to this web application, the journalist published an article regarding the vulnerability, JD Supra said.