Well this is going to hurt: First American Financial Corp., one of the largest title insurance firms in the United States, suffered a cyber attack over the Christmas break that has left legions of homebuyers and sellers unable to close their sales — and it is the second significant cyber incident First American has endured in recent years.
We don’t know the full details yet, but it seems that First American suffered the attack on Wednesday, Dec. 20. By Friday, Dec. 22, the company had taken its email systems offline and warned customers to be suspicious of any electronic messages claiming to be from First American.
That same day, the company also filed a report to the Securities and Exchange Commission alerting investors to the attack. That was to comply with new rules the SEC adopted over the summer (and which went into effect on Dec. 18) requiring more prompt disclosure of cyber attacks. Alas, First American’s disclosure didn’t say much:
First American Financial Corp. recently identified unauthorized activity on certain of its information technology systems. Upon detection of the unauthorized activity, the Company took steps in an effort to contain, assess and remediate the incident. On December 20, 2023, the company elected to isolate systems from the Internet. The company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time.
First American has launched a website to update buyers, sellers, and realtors about the breach, and as of this morning the company seems to be bringing its systems back online. Then again, First American also notified customers about the attack on LinkedIn, which prompted dozens of comments from First American customers who had their home purchases locked in limbo. As you can imagine, these comments were not sympathetic.
For compliance and audit professionals worried about cybersecurity issues, the First American case is one worth following. It raises two important questions.
First, how should a company provide ongoing updates about a cyber incident? First American quickly decided this attack was material — I mean, no kidding; you have customers with home downpayments locked in limbo and closing dates missed; that’s bound to attract attention — and then disclosed the event within the four-day window required by the SEC.
Except, as you can see above, that disclosure is quite meager. Presumably First American will in due course figure out more details about the scope of the attack and its potential damages, such as regulatory investigations and loss of customers to rival title insurance companies. So how will the company discuss those details in its 10-Q filings from here forward? It will be a fascinating case study in cybersecurity disclosure.
Second, how will regulators respond to this incident? Keep in mind, this is the second major cybersecurity failure First American has suffered in recent years. In 2019 the company discovered a significant software vulnerability in its IT systems that exposed confidential customer data to public view.
First error: an IT employee then classified that vulnerability as a low-priority problem, so it wasn’t fixed in a timely manner. Second error: when the media got wind of the breach and asked the company for comment, the company made a misleading disclosure about it to investors. That led to a $488,000 civil penalty from the SEC in 2021 and a $1 million sanction from the New York Department of Financial Services announced one month ago.
In fairness to First American, this latest incident is a cybersecurity attack, where its first offense was about misconfigured software. Still, suffering a second far-reaching cybersecurity incident just weeks after you settled your first far-reaching incident is not a good look, even if the two incidents were different in nature.
I’m not sure the SEC will take action here if First American can get its disclosures right. New York’s cybersecurity rule for financial services companies, on the other hand, imposes a raft of specific internal control requirements. After NY-DFS regulators finish crawling up First American’s rear end with a microscope — because that’s going to happen, for sure — I’ll be curious to see what sort of penalty the state imposes for a second cyber offense.