June 16, 2021
Authored by: Katherine Ashton and Eliot Robinson
On June 15, 2021, the SEC announced that it had settled charges against First American Financial Corporation for failures in First American’s disclosure controls and procedures. Rule 13a-15(a) under the Exchange Act requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms.
According to the SEC’s order, in May 2019, company management learned from a journalist that the company was experiencing a cybersecurity vulnerability that had resulted in the inadvertent public availability of customers’ personal data. First American responded by issuing a statement to the press explaining that the company had learned of a design defect that had resulted in “possible unauthorized access to customer data” and had taken “immediate action to address the situation and shut down external access” to the data. A few days later, First American issued a press release that was also furnished on Form 8-K. In the release, the company reported that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.”
Contrary to these disclosures, the SEC found that the vulnerability had exposed sensitive personal data, including social security numbers, in over 800 million images of customer documents for a period dating back to as early as 2003. The SEC also found that the senior executives of the company who were