Saturday, October 16 2021

First American Financial Corp. agreed to a settlement with the Securities and Exchange Commission for failures in disclosure controls and procedures of cybersecurity vulnerabilities.

According to the SEC order, First American’s file-sharing application leaked over 800 million images, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver licenses. First American agreed to a $487,616 settlement for violations related to a vulnerability in its EaglePro application.

Yes, you read that correctly. To place the settlement in context, First American and its insurance subsidiaries held the second-largest market share in the title insurance industry, approximately 27% market share as of August 2017, according to Fitch Ratings.

Alex Sharpe, principal at Sharpe Management Consulting LLC, told SecureDisruptions he was “skeptical” that the settlement would induce good cyber hygiene.

This data is valuable “and it needs to be protected to the level of that value,” he added. “The amount of the perceived fine will dictate how much an organization is willing to invest in preventing the loss.”

We’re pretty sure this isn’t what Grace Hopper meant when she said, ‘It’s easier to ask forgiveness than it is to get permission.’

If NYDFS Doesn’t Get You, the SEC Will… Sort Of.

First American’s insurance subsidiary was the first company to face charges of the New York State Department of Financial Services’ Cybersecurity Regulation violations in July 2020. The case with NYSDFS is ongoing.

Brian Krebs, an investigative cybersecurity journalist, first reported the exposed transaction images in May 2019. He called the settlement “farcical” in a recent blog after the settlement announcement.

The SEC “appears to have taken care to be thoughtful in not second-guessing good faith decisions about whether to disclose security vulnerabilities,” King & Spalding LLP partner Bill Johnson told SecureDisruptions.

At a May 2018 Congressional hearing, former SEC Enforcement co-directors Stephanie Avakian and Steven Peikin noted the challenges of disclosing cyberattacks. The officials expressed a hesitation to “second-guess good-faith disclosure decisions,” although they warned that some circumstances warrant enforcement actions.

Sharpe noted the limitations of regulatory reluctance to “second-guess” disclosure decisions. “They’re not Monday morning quarterbacking it,” he said. “They’re judging the result.”

The SEC released cybersecurity disclosure guidance in February 2018. In announcing the revised guidance, former Chairman Jay Clayton noted “the importance of policies and procedures related to disclosure controls and procedures, insider trading, and selective disclosures.”

Johnson, a former Enforcement Division attorney at the regulator, said the settlement is consistent with the 2018 guidance and other public statements by SEC officials, “all of which emphasized the need for company employees with knowledge of security vulnerabilities to share that information with those responsible for making SEC disclosures.”

Previous

As Ransomware Soars, Insurers Mull Changes

Next

Financial sector has not implemented cybersecurity measures: Deloitte

Check Also

Widget

Don’t Miss

Cyber Deal Update: Wiz, EVA Group, Bitglass, & appgate,

Van Michael

Massive expansion continues through acquisition and large-scale capital influx.  Wix raises additional $250 million four months after raising $120 million.  The EVA Group eye’s its seat as a top 3 in France.  Appgate sees $1 billion valuation while going public through NLW’s acquisition. Funding Israeli cybersecurity startup Wiz raises $250 million in latest round of funding at $6 billion valuation.  This […]

CYBER EXECUTIVE MOVES: TransUnion, Kovrr, JLL

Khushi Arora

TransUnion, Kovrr, and JLL nab new chief information security officers. TransUnion, a consumer credit reporting agency based in Chicago, has named Bill Shields as its chief information security officer. Shields joins the company from Visa. Kovrr, an Israel-based cyber risk modelling platform provider, nabbed Philippe Vuilleumier as a member of the company’s chief information security […]

Cyber Deal Update: Orca Security, Carnami, Excygent

Van Michael

Two Homomorphic Encryption outfits fight for superiority through competing rounds of funding. Orca Security closes $550 million in Series C.  Coalition purchases Attune for undisclosed sum.  One Identity acquires OneLogin. Funding Cloud security provider Orca Security closes latest Series C at $550 million.  This round led by Singapore based Temasek provides an updated valuation at $1.8 billion.  This move deepens […]

Cyber Executive Moves: SAIC, Corvus Insurance, Cloudentity

Khushi Arora

SAIC appoints a new CISO, Corvus Insurance gains a new president, and Cloudentity nabs a new chief executive officer with a cybersecurity background. Science Applications International Corporation (SAIC), headquartered in Virginia, has appointed Kevin Brown as its chief information security officer. Brown joins SAIC from medical device company Boston Scientific. Accenture has appointed Jackie Fendrock […]

Cyber Deal Update: Coalition, Akamai, Fireeye & McAfee

Van Michael

Massive growth through expansion and acquisition. SenseOn sees +350% growth. HUB Security buys market access to 40 countries.  Tesserent secures an influx of $25 million to fund yesterday’s acquisitions.  Symphony Technology Group announces plans to buy FireEye’s product business at $1.2 billion with intent to merge McAfee’s enterprise business. Funding In the industry’s mad rush for cybersecurity […]

Cyber DeaL Update: Sternum, Panorays, Ketch

Van Michael

Paris-based Exclusive Networks IPO filing. Latest funding fuels Panoryas’s expansion in the US. LG’s latest buyout drives inroads towards connected car security, while Jungle Disk acquires new product divisions to immediately realize +100% growth. F5’s acquisition of Threat Stack buys real-time threat detection. Funding Exclusive Networks, a Paris-based cybersecurity and cloud solutions provider, filed its […]