First American penalized by SEC over data breach disclosures

Title insurance underwriter First American Financial agreed to pay a $487,616 penalty to the Securities and Exchange Commission regarding disclosures made in connection with the 2019 discovery of a data breach.

Both First American and the SEC said the company neither admitted to nor denied the allegations made by the regulator, in respective announcements issued on Tuesday.

"We're pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements," a statement from a First American spokesman said.

NMN061521-First American

In May 2019, it was disclosed that a security flawat the title insurer may have allowed unauthorized access to more than 885 million records containing sensitive personal information going back to 2003.

First American issued a press release on May 24, 2019 and filed a statement with the SEC several days later. However, the SEC said that First American executives were not informed by the company's information security personnel of certain pertinent information regarding the breach, including that it had been discovered several months earlier.

First American disclosed in its third quarter 2020 10-Q filing it received a Wells Noticefrom the SEC stating its staff had recommended filing an enforcement action regarding how the company handled the breach.

In its findings, the SEC order stated that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company's public reports.

"In particular, First American's senior executives were not informed that the company's information security personnel had identified a vulnerability several months earlier in a January 2019 manual penetration test of the EaglePro application, or that the company had failed to remediate the vulnerability in accordance with its policies," the SEC order said.

When the public statements were made, senior executives were not aware that the company's information security personnel had known about the breach since January nor that it had existed since 2014.

"As a result of First American's deficient disclosure controls, senior management was completely unaware of this vulnerability and the company's failure to remediate it," Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said in a press release. "Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures."

The New York Department of Financial Services, which regulates insurers in the state, was thanked by the SEC for its assistance in the investigation.

First American's stock, which just before noon on Tuesday was trading at $64.82, or 77 cents lower than its Monday close, ended the day at $66.14 per share, after reaching as high as $66.61 just before 3 P.M.

For reprint and licensing requests for this article, click here.
Enforcement SEC enforcement Data security Stocks First American Financial Corp.
MORE FROM NATIONAL MORTGAGE NEWS