A real estate settlement services company has run afoul of the Securities and Exchange Commission (SEC) for not properly acting on security vulnerabilities when first aware of them.
On June 15 the SEC said they have settled charges against First American Corporation for disclosure controls and procedures violations in relation to a security threat that could have compromised sensitive customer information.
In a statement, the SEC said a cybersecurity journalist informed First American on May 24, 2019, that its application for sharing document images had a flaw that left vulnerable more than 800 million images dating back to 2003. Some of those files contained financial information and social security numbers.
While the company acted quickly on the journalist’s tip, issuing a press release that day and filing an 8-K form four days later, they were punished because some in the company knew of the problem for several months but did not act on it.
“However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk,” the SEC said in a statement. “In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies.”
The SEC further found First American did not properly maintain disclosure controls and procedures which were to protect available and relevant information that was to be analyzed for disclosure in public reports filed with the SEC.
“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
The SEC charged First American with a violation of Rule 13a-15(a) of the Exchange Act. Without comment on the findings First American agreed to a cease-and-desist order and will pay a $487,616 fine.
First American reported revenue of $7.1 billion in 2020.