Over the last five years, cybersecurity has consistently been a top priority of the Securities and Exchange Commission (“SEC”). We have written about the SEC’s focus on cybersecurity in July 2020 and January 2020. With an additional enforcement action in June, the SEC is continuing to signal that firms regulated by the SEC need to have appropriate risk management and cybersecurity controls in place. While this case study isn’t directly related to Investment Advisers, they would be wise to learn lessons from this story.
First American Financial Corporation (“First American”) is a real estate settlement services provider. In that capacity, they store certain non-public personal information (“NPPI”) of real estate purchasers and sellers. In an internal audit in 2018, an error was caught that certain NPPI stored by First American was not stored securely.
Subsequently, First American conducted a vulnerability test which culminated in a written report in January 2019. In the report, information security personnel determined that certain website URLs that First American provided to people could be replaced with different numbers to create access to NPPI that was unauthorized. Continue reading ›