United States of America: SEC charges FAFC with cybersecurity disclosure controls violation

On 14 June 2021, the Securities and Exchange Commission (SEC) has charged First American Financial Corporation (FAFC), a real estate and mortgage insurance and settlement company. Specifically, the FAFC was charged with violations of the requirement to maintain proper disclosure controls and procedures in relation to a cybersecurity vulnerability involving sensitive personal data like social security numbers and financial information. FAFC had been aware of the vulnerability since early 2019, but many of the company's senior executives remained unaware of the issue until contacted by a journalist on 24 May 2019. As a result, the SEC has found that the FAFC violated the requirement to properly summarise and report the vulnerability to the SEC in a timely manner. The SEC and FAFC have agreed on a settlement requiring the latter to cease and desist from future violations and pay a civil penalty of $487,616.