The U.S. Securities and Exchange Commission fined a title insurance company $487,616 for failing to adequately disclose a cybersecurity vulnerability that exposed sensitive customer information, the agency said Tuesday.
The SEC said in a statement that on May 24, 2019, a cybersecurity journalist notified Santa Ana, California-based First American Financial Corp. of a vulnerability in its application for sharing document images that exposed more than 800 million images dating back to 2003, including images containing sensitive personal data such as Social Security and financial information.
According to the report by business insurance saying First American issued a press release regarding the vulnerability on May 24, 2019, and submitted a Form 8-K to the SEC on May 28, 2019, but senior executives were not told the company’s information security personnel had identified the vulnerability several months earlier and had failed to remediate it, the SEC said.
Kristina Littman, chief of the SEC enforcement division’s cyber unit, said in a statement, “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
An order issued by the SEC charges the company with violating the Securities Exchange Act of 1934. First American agreed to a cease-and-desist order and to pay the fine without admitting or denying the SEC’s findings, the statement said.
The company said in a statement, “We’re pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements.”
In July 2019, First American, which is one of the largest providers of title insurance in the United States, was the first insurer to be charged with violating the New York State Department of Financial Services’ 2017 cybersecurity regulation in connection with the issue.
A related securities litigation lawsuit was filed against the company and two of its officers in U.S. District Court in Los Angeles in October 2019