The Securities and Exchange Commission announced Tuesday that it has settled charges with First American Financial over its 2019 leak of sensitive customer information that exposed more than 800 million document images.
Under the terms of the deal, the heavyweight real estate title insurance company will pay a $487,616 fine. The SEC had charged the company with inadequately disclosing the cybersecurity vulnerability that exposed the information. The digitized records included things like Social Security numbers and bank account statements.
First American first made public statements about the vulnerability in May 2019 but the company’s information security personnel had first spotted it in January, and according to the SEC they didn’t fix it and failed to notify company brass.
“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
First American neither admitted nor denied the charges in the SEC order.
“We’re pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements,” the company said in a statement. It also filed another form with the SEC to notify investors about the agreement.
The SEC settlement doesn’t end the potential legal and regulatory jeopardy for the company. The New York State Department of Financial Services also has filed charges against First American, and it faces the usual array of lawsuits.
The commission announced the settlement shortly after signaling its plans to further “enhance issuer disclosures regarding cybersecurity risk governance” in its rulemaking wishlist, targeting spring for the changes. The last SEC chairman, Jay Clatyon, declared cyber a priority.
The current chairman, Gary Gensler, didn’t mention the subject in his prepared testimony during his March nomination hearing before the Senate Banking Committee, although he did tell House appropriators last month that there was enough investor demand for him to ask his staff for recommendations on additional cyber protections.