On June 15, 2021 “The Securities and Exchange Commission (“SEC”) announced settled charges against real estate settlement services company First American Financial Corporation for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.”

On May 24, 2019, Brian Krebs notified First American Financial Corporation of a vulnerability with its Web site used for sharing documents that exposed over 800 million records dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.

The SEC stated that First American’s senior executives were not informed that the company’s information security team had identified the vulnerability several months earlier but had failed to remediate it in accordance with their policies. First American also failed to report all of the details of the incident.

The SEC highlighted that senior management’s lack of visibility of cybersecurity vulnerabilities resulted in improper disclosure. As a result, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.

Lessons Learned

So, what are the takeaways here?

  • To maintain a successful cybersecurity program, support and input needs to come from the top.
  • Maintaining a secure posture not only includes strong technical defenses, but also includes strong operational and procedural defenses as well.
  • Analyze, test, review, remediate, and start the cycle all over again. This includes:
    • Analyzing your security posture on a periodic basis
    • Running tests on your technical controls, your policies, and people
    • Ensure you are aware of your third party and fourth party risk
    • Review results from prior analysis and tests to determine cybersecurity maturity
    • Remediate the gaps and start the cycle again.