Less than a month after New York insurance regulators said a title insurer would pay $1 million for violations of a cybersecurity regulation stemming from a 2019 breach, the holding company for the insurer revealed a more recent cybersecurity incident.
Earlier this week, Fitch Ratings said that the latest incident, disclosed by First American Financial Corporation in a Dec. 22 filing with the Securities and Exchange Commission, probably won’t affect the company’s ratings in the near term. But ratings could eventually be impacted, Fitch said, if business operations remain constrained for an extended period, if investigation of the event reveals weak corporate governance or risk management, or if material adverse information is disclosed.
In the Dec. 22 SEC filing, First American Financial Corporation said the company “recently identified unauthorized activity on certain of its information technology systems” without disclosing the exact date. The 8K SEC filing indicated that the company “took steps in an effort to contain, assess and remediate the incident” upon detection, and that on Dec. 20, the company “elected to isolate systems from the Internet.”
At the date of this writing on Dec. 26, the primary website remained offline. Updates of the situation are available on FirstAmUpdate.com. The most recent updates from Dec. 22 announced the SEC filing and also indicated that First American’s email system has been taken offline. “Any recipient of an email purporting to be from First American, First American Title or from FirstAm.com should be vigilant about cybersecurity risks and avoid clicking on unknown or suspect links,” the company said.
The SEC filing noted that the company was assessing whether the incident could have “a material impact on its financial condition and results of operations, which at this point cannot be determined.” In addition, the company retained leading experts, is working with law enforcement and notified certain regulatory authorities, the filing said.
Among regulators interested in events at First American Financial is the New York State Department of Financial Services (DFS), which announced on Nov. 28 that First American Title Insurance Company would pay a $1 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500). The incident that led to the penalty was announced by First American in May 2019, but it was later discovered information security personnel within the company discovered and failed to remediate a serious vulnerability in First American’s “EaglePro” application (for sharing document images related to title and escrow transactions) in January of the same year. The lack of cyber controls promoted an SEC penalty of nearly $0.5 million in June 2021, and the DFS fine of $1 million last month $
For more of the backstory, read, “Title Insurer Settles SEC Charges On Cyber Controls, Pays Nearly $0.5M”
The SEC, at that time, credited DFS with helping in its investigation. DFS, in its announcement last month, said that its investigation revealed that First American “failed to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures”—violating the department’s cybersecurity regulation. “As a result, EaglePro lacked sufficient access controls designed to prevent unauthorized users from gaining access to consumers non-public information.”
There is no indication in First American’s latest disclosure that the current incident involves the EaglePro application, and Fitch, in its announcement said that the most recent cyber incident is unrelated to the May 2019 cyber incident.
“Title insurance companies routinely work with sensitive personal information including bank records, and therefore data protection is critical to their operational success,” Fitch said.
Fitch said it intends to monitor for any potential financial, operational, reputational effects of the latest event, and for signs of a deterioration in governance or risk management as this event is resolved.
Still, future negative rating implications “are unlikely given FAF’s substantial ratings headroom relative to established sensitivities,” Fitch said, adding that the rating agency doesn’t believe the recent incident will materially affect First American’s capital position or financial performance.
According to Fitch, First American is the second largest U.S. residential title insurer and a leader in the commercial title market.
Fitch affirmed the financial ratings of First American’s title insurance operating subsidiaries at A, and senior debt for the holding company at BBB on Aug. 24, 2023. Likewise, AM Best affirmed financial strength (A) for First American Title and issuer credit ratings (bbb) for the parent holding company in October.
In an unrelated event, in October, New York Attorney General Letitia James announced that First American would pay New York state $4.5 million related to an investigation of “no-poach agreements” that the company and competing title insurers had with one another to stop employees from switching jobs.