The Securities and Exchange Commission has fined a New York title insurance company $488,000 for failing to disclose cybersecurity problems to investors in a timely manner, in yet another example of how cybersecurity risks can spawn a secondary wave of compliance risks too.
The company in question is First American Financial Corp., parent company of First American Title Insurance — and if the latter name sounds familiar, that’s because it’s the same title insurance company charged by the New York Department of Financial Services last summer, for the same cybersecurity failures. NY-DFS took First American to task for violating state data protection rules; now the SEC is getting into the act with its own federal investor protection case.
The cybersecurity failures are as follows. First American maintained a database of some 800 million documents, available to title agents and others through a custom-made application called EaglePro.
In 2014, First American was doing an upgrade of EaglePro and introduced a vulnerability. The URL address for each web page shared via EaglePro contained a document ID number at the end, assigned to a specific document in the database. By typing a different ID number in the address bar of your web browser, a user could call up a different document — complete with all the personally identifiable information that a title agent had recorded on that document.
First American’s cybersecurity team discovered that vulnerability in December 2018. That’s when the regulatory trouble started.
Problems With Remediation, Escalation
As outlined in the SEC’s complaint against First American, the company’s IT and security team began working to remediate that vulnerability in January 2019. They decided to classify the problem as a “level 3 vulnerability,” and according to the company’s own internal policies, that meant that it had to be fixed within 45 days.
Unfortunately, an employee then mistakenly logged the issue as a “level 2 vulnerability” in First American’s remediation system — which then put the problem on a different track, to be remediated in 90 days. (That delay seems not to have made much difference, because the remediation team didn’t fix things by the 90-day window either.)
The situation turned messier on May 24, 2019, when cybersecurity journalist Brian Krebs notified First American that he’d discovered the breach and reported the news on his blog, Krebs On Security. That sent First American scrambling, and the company filed an 8-K statement with the SEC the following Tuesday, May 28, announcing the cybersecurity failure to investors.
Except, senior executives including the CISO, CEO, and CFO had already known about the breach since January, and had been working on it for months. They hadn’t informed the First American team in charge of SEC disclosures about it, until everything blew up in the media.
That was a failure of First American’s disclosure controls and procedures, and that triggered the SEC enforcement action. Or, as the SEC said:
Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months … As discussed above, the company’s business includes providing services involving data related to real estate transactions. Nevertheless, as of May 24, 2019, First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data.
The result: an enforcement nastygram from the SEC. First American would neither admit nor deny the charges, but agreed to a cease-and-desist order and $487,616 in penalties. (That said, the company had $7.08 billion in revenue in 2020, so the penalty is chump change.)
Points to Ponder
We already considered lessons on internal control and cybersecurity risk management in our post from last year, examining the NY-DFS action against First American. We won’t rehash that material here, except to say this: when your business is the collection and processing of confidential consumer data, you need to design strong risk assessment and escalation procedures from the start.
Our lessons today are more about omitting compliance officers from important business issues — like, say, suffering a serious cybersecurity weakness when you’re in the business of processing consumer data.
The point in securities law isn’t so much that you should manage the risk to an appropriately low level (although, yes, you should do that). The point is that you should disclose the risk you’re trying to manage, so investors can make informed decisions. Which means the compliance teams tasked with disclosing risks to investors must be apprised of those issues. The process to do that is otherwise known as disclosure controls and procedures.
In fact, another good example of this issue isn’t related to cybersecurity at all. The example is Mylan Labs, which ran into trouble with the SEC in 2019. (These days Mylan has been reborn as Viatris, a combo of Mylan and Pfizer’s subsidiary Upjohn.)
In the mid-2010s, Mylan ran into regulatory trouble with the Justice Department over Mylan’s exorbitant pricing of EpiPens. By 2014, Mylan’s legal team knew the company would end up paying a significant penalty for violations of the False Claims Act. But nobody in legal told the folks at Mylan’s finance department, which failed to accrue sufficient contingency funds for that settlement.
The company paid a $465 million penalty in October 2016, and spring that news on investors at the same time — despite the legal team knowing for more than two years that just such an iceberg was barreling toward the balance sheet. The SEC didn’t like that failure to disclose in a timely manner one bit, and in 2019 the agency hit Mylan with a $30 million civil penalty.
In both cases, we had a company failing to keep compliance and disclosure executives apprised of a significant risk: healthcare pricing for Mylan, cybersecurity for First American.
By failing to keep disclosure executives informed of the cybersecurity issue, First America ended up paying nearly half a million dollars. Would it really have cost that much to include those folks on the Zoom call from the start?