SEC vs. First American Financial Sends a Message – Identify and Disclose Top Cyber Risk or We’ll Fine You
In a warning of a get-tough policy on cyber risk management, the Securities and Exchange Commission (SEC) has fined First American Financial Corp. (FAFC), finding that the major title insurance and escrow company “did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches” of personal customer information, prior to journalist Brian Krebs revealing in 2019 a serious vulnerability in an internet-facing app that exposed over 800 million documents.
SEC Policy on Cyber Risk
In 2018, the SEC issued a guidance document that signaled its intent to look deep into the internal cyber risk practices of regulated companies:
“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company.”
The guidance document went further, listing cybersecurity risk factors that should be disclosed (and effectively directed regulated companies to a risk analysis like FAIR™ that can quantify the factors):
- Frequency of cyber events, based on past experience
- Probability and magnitude of incidents (costs, in financial terms)
- Adequacy of controls
- Third party suppliers that might create material risks
- Amount of insurance coverage
- Potential reputation harm
- Relevant laws and regulations
- Potential fines and judgements from cybersecurity incidents
For email notification of blog posts, webinars, events and more: Join the FAIR Institute now.
Details of the First American Financial Case
As outlined in the Commission’s order, FAFC pretty much violated the 2018 guidance point by point.
Starting in December, 2018, penetration testing by FAFC security personnel identified the vulnerability in the app which not only permitted unauthorized access to documents with PII but actually made documents discoverable on search engines. While the pen testers reported the problem, the app’s “Accountable Remediation Officer” neither performed remediation nor followed company policy to request a waiver or risk acceptance from the CISO, the SEC charged. To compound the problem, the vulnerability was tracked internally as a low-level risk.
On May 24, 2019, Brian Krebs published his report on the vulnerability. On May 28, FAFC issued an 8-K disclosure filing to the SEC and a press release stating that the company had no “preliminary indication of large-scale unauthorized access to customer information.” According to the SEC, the CISO and CIO were both aware of the history of the incident after the Krebs report, and met with the senior executives responsible for the public statements but somehow those executives remained unaware of the facts when the statements were made.
The SEC settled its complaint with FAFC for just under $500,000, with the company not admitting or denying the findings. Still pending: An enforcement action by the New York Department of Financial Services and a class action suit over the same data breach.
Takeaways for Cyber Risk Management from the SEC Enforcement Action against First American Financial
The SEC couldn’t be clearer in its 2018 guidance and the FAFC complaint that it expects public companies to operate on “policies and procedures” to proactively identify, prioritize and deal with top cyber risks, coupled with reporting to senior management and the board that’s transparent and justifiable.
“The SEC’S guidance to be proactive with cyber risk measurement and appropriate remediation planning is as evident as a company’s fiduciary responsibility to understand and manage its own risk,” commented Laura Mahoney, General Counsel of RiskLens. “Actively learning about risk and taking measures accordingly shouldn’t be up for debate when it comes to protecting shareholder interests.”
But many infosecurity and cyber risk management teams can’t truly meet that standard because they’re still using qualitative, high-medium-low rating scales, not analysis tools that estimate risk in quantitative, monetary terms.
FAIR™ quantitative cyber risk analysis ranks risks based on probable loss exposure (including fines and judgments), analyzes in depth the identified top risks, and games out cost/benefit for remediation alternatives – all in the dollar terms that can be communicated to business stakeholders and regulators.
Learn how the FAIR standard can help your organization achieve risk management policies and procedures to satisfy the SEC and other regulators – contact a FAIR Institute FAIR Enablement Specialist now: firstname.lastname@example.org