In June of 2021, the U.S. Securities and Exchange Commission (SEC) announced its civil monetary penalties and cease-and-desist order against First American Financial Corporation (FAFC) for failing to fully disclose information related to cybersecurity risks. FAFC provides title insurance policies on commercial and residential real estate properties as well as escrow and closing services.
The SEC penalty is also combined with the New York State Department of Financial Services (NYSDFS) charges for violating cybersecurity regulation (their first charges of this kind) and represents a cybersecurity risk management failure that should be a cautionary tale for other companies.
In addition to the operational risk cyberattacks pose, regulators are using their powers to push companies to adopt cybersecurity risk management systems that adequately meet these risks. Regulatory scrutiny will continue to rise and companies will face more monetary penalties and sanctions in the future.
Not only will companies need to implement cybersecurity risk management systems that provide comprehensive protection, but they will also need to regularly upgrade them to ensure effectiveness. This applies to programs developed entirely in-house, but possibly more importantly, any activities or services that third parties provide.
The Case for Increased Regulator Attention on Cybersecurity
In May of 2019, a journalist disclosed to FAFC’s investor relations individuals that its web program for sharing title and escrow transaction images had a significant cybersecurity vulnerability. This included over 800 million personal documents including Social Security numbers, bank account numbers, tax records, transaction receipts, and more. FAFC shut down external access to this program and the journalist went on to publish an article about this vulnerability.
After the article, FAFC published a press release and filed Form 8-K with the SEC regarding the vulnerability. Unknown to the executives who disclosed this information, it was revealed that information security individuals knew about this vulnerability months prior, and failed to correct the problem. More importantly (according to the SEC enforcement action), these personnel (including the chief information officer) also failed to disclose the issue to senior management and executives before the article was published.
Understanding the SEC Cybersecurity Penalty
On June 15th of this year, the SEC announced the settlement of their enforcement actions against FAFC. The actions included a penalty of almost $500,000 and cease-and-desist order. In their investigation, the SEC revealed that FAFC’s inadequate disclosure procedures and controls related to these cybersecurity risks were in violation of Rule 13a-15(a) in the Securities Exchange act of 1934 (since amended) that requires applicable issuers to disclose procedures and controls to accurately and quickly report on information required by the SEC.
Furthermore, the SEC announced that senior executives in FAFC did not have enough information to measure cybersecurity responsiveness and the risk that the web application presented when they filed Form 8-K.
“[FAFC] did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of data.”
The US Securities and Exchange Commission
The SEC’s enforcement is the first time a violation was announced for Rule 13a-15(a) concerning inadequate disclosure related to cybersecurity risk in procedures and controls. The guidance was initially released in 2011 and emphasizes the need for adequate disclosure obligations as cybersecurity risks continue to grow.
The SEC updated this guidance in 2018 to emphasize “the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.” They further stressed that information about these types of risks be reported and processed to senior management and executives in order to make accurate disclosures to regulators.
With the FAFC action the SEC is moving to enforcement, not just guidance. This places further pressure on public companies to ensure that cybersecurity risk management systems and disclosure procedures are firmly and comprehensively in place.
What the SEC Cybersecurity Penalty Means for TPRM
While the FAFC’s vulnerability did not involve the actions of a third party, and the company did not experience an actual data breach, the SEC penalty does have ramifications for companies managing their cybersecurity and the actions of their third parties.
The pandemic has seen a massive rise in data breaches and cyberattacks, including ransomware and malware. Despite the involvement of third parties in 63% of data breaches, 55% of enterprise-level companies do not include third-party applications in their application security program.
FAFC’s vulnerability within their web application further brings to light the need to ensure that all internal and external systems are thoroughly vetted for cybersecurity and data protection elements. Whether a company uses a third party (or third-party system) for their operations, or a third party supports the web applications, all of these vendors bring their own cyber vulnerabilities to the table, placing increased risk on the company that utilizes them.
As seen with this recent SEC cybersecurity penalty, regulators are paying more and more attention to how companies protect their systems, especially if they contain private consumer information, as with the FAFC case. In addition, regulators are also focusing on companies’ knowledge and management of third-party risks. In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) has published “Key Practices in Cyber Supply Chain Risk Management which provides recommendations to help organizations ensure resilience by building robust cyber supply chain risk management (C-SCRM).
Best Practices for Managing Third-Party Cybersecurity Vulnerabilities
To strengthen cyber resiliency your company needs to implement processes, programs, and procedures that identify and assess emerging threats quickly, respond effectively and efficiently, and take decisive action. This includes ensuring that software is developed securely and that all third parties are also operating with a thorough level of security.
Understand who your third parties are, and what they do:
The first step to managing third-party risks is to gain a complete understanding of who your vendors are, how dependent you are on them, and what exactly they bring to your table. Identifying all of your suppliers and what they do is critical for understanding the risks and vulnerabilities they can present to your cybersecurity.
Know your fourth, fifth, and nth parties:
In addition to the vendors you have direct contracts with, it is also important to know your fourth parties and nth parties- i.e. your third parties’ subcontractors. Without this understanding, companies leave themselves vulnerable to issues such as cyberattacks, supply chain disruptions, and penalties. Tools such as TPRM software help companies understand the complexities of their vendor relationships so that if an issue were to occur with a fourth or nth party, companies are made aware of it and can take steps to manage it.
It’s the age of technology- embrace it:
Automation tools should be used so that all programs, third parties, and potential risks are managed effectively, and that application management hygiene is consistently in place. In addition, keeping any systems or programs you utilize up-to-date makes it harder for hackers to target your systems for attacks.
Adopt multi-factor authentication and zero-trust architecture:
These are increasingly being used to create more checkpoints against hackers and cybercriminals. Embracing these practices is critical to strengthening your software security, though it does require collaboration with IT teams to manage these controls.
Perform initial and ongoing due diligence:
Due diligence involves conducting initial and/or periodic reviews of a third party to determine the suitability of the vendor to provide the required products or services, the risks that the relationship may bring, and the controls that they have to mitigate risks. Performing due diligence during onboarding helps determine potential risks before contracting with them, and ongoing due diligence helps manage risks or changes as they occur.
Hannah Tichansky
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.
Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.