On June 15, 2021, the SEC settled its charges against First American Financial Corporation (“First American”), a real estate company, in the amount of $487,616, for its “disclosure controls and procedures violations related to disclosures made in connection with a cybersecurity vulnerability involving the company’s ‘EaglePro’ application for sharing document images related to title and escrow transactions”, in violation of Rule 13a-15(a) of the Security Exchange Act of 1934. See the SEC Order, File No. 3-20367, which can be accessed here. The cybersecurity vulnerability at issue, found to have existed since 2014, was a design defect in the EaglePro application whereby a user could take an unsecured EaglePro package URL containing images of escrow and title-related documents and alter it to view other document images which the user was not authorized to access, thereby exposing to unauthorized access “millions of document images”. Id. at 6. This vulnerability, identified in a January 11, 2019 report finalized by First American’s information security personnel, was incorrectly inputted internally as “low risk” instead of “medium risk”, thereby increasing the time for remedying the defect from 45 days to 90 days upon input. Further, senior executives who were responsible for First American’s disclosures were not made aware of the pertinent facts of the January 11th report until after the company furnished a Form 8-K, which included a press release about the cybersecurity vulnerability, on May 28th, 2019.
Given the success of the SEC’s Cyber Unit in holding First American responsible for its mishandling of this serious cybersecurity vulnerability, and given the recent consideration for recommendation in the OIRA Agenda for the SEC to propose rule amendments aimed at enhancing issuer disclosures as they relate to cybersecurity risk governance, it will be curious to see if the SEC’s Cyber Unit pursues more cybersecurity cases akin to the First American matter.
About Faruqi & Faruqi, LLP
Faruqi & Faruqi, LLP focuses on complex civil litigation, including securities, antitrust, wage and hour, personal injury and consumer class actions as well as shareholder derivative and merger and transactional litigation. The firm is headquartered in New York, and maintains offices in California, Delaware, Georgia and Pennsylvania.
Since its founding in 1995, Faruqi & Faruqi, LLP has served as lead or co-lead counsel in numerous high-profile cases which ultimately provided significant recoveries to investors, direct purchasers, consumers and employees.
To schedule a free consultation with our attorneys and to learn more about your legal rights, call our offices today at (877) 247-4292 or (212) 983-9330.
About Thomas T. Papain
Thomas T. Papain's practice focuses on securities litigation. Thomas is an associate in the firm's New York office.
Thomas T. Papain
Associate at Faruqi & Faruqi, LLP
New York office
Tel: (212) 983-9330
Fax: (212) 983-9331