SEC and Cybersecurity
Cybersecurity is a key topic for issuers and members of the public. A cybersecurity breach can put at risk or expose the personal data of thousands of individual. The Commission has brought a number of cases in this area over the years. With the recent focus on international hacking, and organizations with ties to foreign countries blackmailing firms, concern regarding the installation and maintenance of the proper controls is increasing rapidly. The Commission’s most recent case in this area involved a large real estate firm. It is an example of the type of actions that may soon become a focus for SEC enforcement.
In the Matter of First American Financial Corporation, Adm. Proc. File No. 3-20367 (June 14, 2021) is an example of the type of cybersecurity case that may become a new staple of the enforcement program. First American is a California based provider of products and services tied to residential and commercial real estate transaction. The firm’s Title Insurance and Services segment issues title insurance policies on residential and commercial property along with closing and escrow services. The data collected includes material non-public personal information such as social security numbers and financial data. About 91% of the firm’s revenue comes from this segment.
In May 2019 the firm had a repository of about 800 million document images that contained non-public and nonpublic personal information. The images with NPPI were supposed to be marked with the legend “SEC.” Tagging the documents in this manner was done manually. There were misclassifications.
Prior to May 2019 the firm transmitted documents to customers in secure and unsecure packages. The former required password verification by the recipient. The latter did not. Yet the contents of the secure packages could be shared by the recipient with others without password verification.
The system for maintaining and transmitting the materials had a flaw. Before May 2019 a user could take the URL generated as part of a package which contained the link to an image of NPPI and alter the digits to the URL to permit the viewing of other materials. When this flaw was identified the firm’s disclosure control procedures required that it be remedied within relatively short time periods, depending on the severity of the risk. Here the risk should have been categorized as medium but instead was labeled low. It was not remedied within the time limits set for either medium or low risks.
Subsequently, on May 24, 2019 a cybersecurity journalist contacted the firm about its web application noting that there was a leak involving over 800 million documents. First American issued a statement that the journalist published noting that the company had learned of a design issue and “took immediate action to address the situation and shut down external access to the application” The statement was reiterated in a Form 8-K. The senior executives at the firm, however, were not aware of the facts about the incident prior to the statement release. Indeed, those executives were not aware that the vulnerability had been identified months ago. The Order alleges violations of Exchange Act Rule 13a-5.
To resolve the matter, First American consented to the entry of a cease-and-desist order based on the Rule. The firm also agreed to pay a penalty of $487,616.