Title insurer First American Financial has agreed to pay a $ 487,616 fine to the Securities and Exchange Commission for disclosures related to the discovery of a data breach in 2019.
Both First American and the SEC said the company neither admitted nor denied the regulator's allegations in related communications on Tuesday.
"We are pleased to be able to resolve this matter with the SEC and remain committed to complying with all SEC disclosure control requirements," said a statement from a First American spokesman.
In May 2019 it was announced that the title insurer could have enabled unauthorized access to more than 885 million records with sensitive personal data from 2003 due to a security breach.
First American issued a press release on May 24, 2019 and filed a statement with the SEC a few days later. However, the SEC announced that First American executives had not been notified by the company's information security staff of certain relevant information regarding the breach, including the fact that it had been discovered several months earlier.
First American announced in its 10-Q filing for the third quarter of 2020 that it had received a Wells notice from the SEC stating that its employees had recommended filing an enforcement lawsuit regarding the company's dealings with initiate the violation.
In its findings, the SEC regulation noted that First American had failed to maintain disclosure controls and procedures to ensure that all available, relevant information about the vulnerability was analyzed for disclosure in the company's public reports.
"In particular, First American executives were not informed that the company's information security personnel had identified a vulnerability in a manual penetration test of the EaglePro application a few months earlier in January 2019, or that the company was not complying with its policy on the vulnerability," it said in the SEC regulation.
When the public statements were made, officers were unaware that the company's information security personnel had known about the breach since January and that it has existed since 2014.
"As a result of First American's inadequate disclosure controls, management was completely unaware of this vulnerability and the company's failure to address it," said Kristina Littman, head of the SEC Enforcement Division's cyber unit, in a press release. "Issuers must ensure that information that is important for investors on the career ladder is reported to those responsible for disclosure."
The SEC thanked the New York Department of Finance, which regulates the state's insurers, for helping with the investigation.
First American stock, which traded at $ 64.82 just before noon on Tuesday, or 77 cents below its closing price on Monday, ended the day at $ 66.14 per share after trading just before 3:00 PM Clock had hit a high of $ 66.61.