SEC Settles Charges against First American Financial Corporation over Cybersecurity Vulnerability


On June 15, 2021, the SEC settled its charges against First American Financial Corporation (“First American”), a real estate company, in the amount of $487,616, for its “disclosure controls and procedures violations related to disclosures made in connection with a cybersecurity vulnerability involving the company’s ‘EaglePro’ application for sharing document images related to title and escrow transactions”, in violation of Rule 13a-15(a) of the Security Exchange Act of 1934. See the SEC Order, File No. 3-20367, which can be accessed here. The cybersecurity vulnerability at issue, found to have existed since 2014, was a design defect in the EaglePro application whereby a user could take an unsecured EaglePro package URL containing images of escrow and title-related documents and alter it to view other document images which the user was not authorized to access, thereby exposing to unauthorized access “millions of document images”.  Id. at 6.  This vulnerability, identified in a January 11, 2019 report finalized by First American’s information security personnel, was incorrectly inputted internally as “low risk” instead of “medium risk”, thereby increasing the time for remedying the defect from 45 days to 90 days upon input. Further, senior executives who were responsible for First American’s disclosures were not made aware of the pertinent facts of the January 11th report until after the company furnished a Form 8-K, which included a press release about the cybersecurity vulnerability, on May 28th, 2019.

Given the success of the SEC’s Cyber Unit in holding First American responsible for its mishandling of this serious cybersecurity vulnerability, and given the recent consideration for recommendation in the OIRA Agenda for the SEC to propose rule amendments aimed at enhancing issuer disclosures as they relate to cybersecurity risk governance, it will be curious to see if the SEC’s Cyber Unit pursues more cybersecurity cases akin to the First American matter.
 

About Faruqi & Faruqi, LLP

Faruqi & Faruqi, LLP focuses on complex civil litigation, including securities, antitrust, wage and hour and consumer class actions as well as shareholder derivative and merger and transactional litigation. The firm is headquartered in New York, and maintains offices in California, Georgia and Pennsylvania.

Since its founding in 1995, Faruqi & Faruqi, LLP has served as lead or co-lead counsel in numerous high-profile cases which ultimately provided significant recoveries to investors, direct purchasers, consumers and employees.

To schedule a free consultation with our attorneys and to learn more about your legal rights, call our offices today at (877) 247-4292 or (212) 983-9330.

Tags: faruqi & faruqi, investigation, news, litigation, settlement notice, case, faruqi law, faruqi blog, faruqilaw, Thomas T. Papain, securities litigation Faruqi & Faruqi Faruqi & Faruqi

New York office
Tel: (212) 983-9330
Fax: (212) 983-9331

Finding us

Our Offices


Our offices are nationwide. If you have any questions about a case or our firm, please contact us.

New York

685 Third Avenue 26th Floor
New York, New York 10017
(212) 983-9330
(877) 247-4292
(212) 983-9331

California

1901 Avenue of the Stars Suite 1060
Los Angeles, California 90067
(424) 256-2884
(424) 256-2885

Georgia

3565 Piedmont Road NE Building Four, Suite 380
Atlanta, Georgia 30305
(404) 847-0617
(404) 506-9534

Pennsylvania

1617 JFK Boulevard, Suite 1550
Philadelphia, Pennsylvania 19103
(215) 277-5770
(215) 277-5771

Faruqi & Faruqi office in New York, New York

Faruqi & Faruqi office in Los Angeles, California

Faruqi & Faruqi office in Atlanta, Georgia

Faruqi & Faruqi office in Philadelphia, Pennsylvania