Can Bad Cyber Security Hygiene Get Your Business In Trouble with the SEC? Yes!

The U.S. Securities and Exchange Commission (SEC) has recently fined First American Financial Corporation (FAFC) $487,616 for deficient disclosure controls and procedures related to cybersecurity risks. The fine comes two years after Brian Krebs broke the story about a vulnerability on First American’s Web site that exposed approximately 885 million files, without authentication to read the documents.

Perhaps the biggest reason for the investigation and fine is the fact that FAFC was aware of the vulnerability and didn’t do anything to address it.  According to Krebs: “roughly five months before KrebsOnSecurity notified First American that anyone with a web browser could view sensitive document in its ‘Eagle Pro’ database online just by changing some characters at the end of a link, an internal security audit at First American flagged the exact same vulnerability.”

It is one thing to unknowingly have a vulnerability that is leaking clients’ personal information. It is quite another to know that a vulnerability exists and not remediate it on time.  While some might argue the fine in this case is small, FAFC is not out of the regulatory woods yet. In July 2020, the New York State Department of Financial Services announced the company was the target of their first ever cybersecurity enforcement action in connection with the incident. Their investigation is ongoing. 

If your company is responsible for a large amount of financial and personal information, you have an obligation to protect it.  There are many government and regulatory standards out there that require your business to do so.  To help manage these compliance regulations, you need to ensure your business has a vulnerability and remediation management policy. And this policy must be enforced and updated on a regular basis.  FAFC did have a system in place for ranking vulnerabilities and the timeline for remediation, but several factors led to the problem. One was that they mistakenly ranked the risk of the vulnerability as low rather than high.  Still, they failed to not only remediate the vulnerability within their accepted timelines, the security team also failed to notify senior management of the problem.

To ensure you have your risk and compliance obligations covered, consider outsourcing to a Managed Security Services Provider (MSSP). An MSSP can help manage your vulnerability and remediation management strategy, ensuring you remediate vulnerabilities in a timely manner.  An MSSP like Uzado can help not just with vulnerability management but also with 24×7 support, support your Managed Governance, Risk & Compliance (MGRC) activities, as well as offer a Breach Readiness service to ensure you are prepared to deal with and recover from a breach.   To ensure your business is well protected and meeting its compliance obligations, contact Uzado.