The SEC announced a settled enforcement action concerning First American Financial Corporation’s violations of disclosure controls and procedures. The violations related to disclosures made in connection with a cybersecurity vulnerability involving the company’s “EaglePro” application for sharing document images related to title and escrow transactions. According to the SEC, First American failed to maintain disclosure controls and procedures designed to ensure that all available relevant information concerning the vulnerability was analyzed for disclosure in the company’s reports with the Commission.
The SEC’s order states:
On the morning of May 24, 2019, a cybersecurity journalist notified First American that its application had a vulnerability exposing over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.
In response, First American issued a statement for inclusion in the cybersecurity journalist’s report published on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019.
First American’s senior executives responsible for the press statement and Form 8-K were not apprised of certain information concerning the company’s information security personnel’s prior knowledge of a vulnerability associated with First American’s EaglePro system before making those statements—information that would have been relevant to management’s assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.
In particular, First American’s senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier in a January 2019 manual penetration test of the EaglePro application, or that the company had failed to remediate the vulnerability in accordance with its policies.
As a result the SEC alleged First American did not maintain disclosure controls and procedures designed to ensure that senior management had all relevant information about the January 2019 report prior to issuing the company’s disclosures about the vulnerability.
First American did not admit or deny the SEC findings in the SEC’s order settling the proceeding.