AM Best Comments on Credit Ratings of First American Following Alleged Data Security Incident

June 4, 2019

AM Best reported that the Financial Strength Rating of A (Excellent) and the Long-Term Issuer Credit Ratings (Long-Term ICR) of “a” of the members of First American Title Insurance Group, as well as the Long-Term ICR of “bbb” of the parent holding company, First American Financial Corporation remain unchanged following the organization’s announcement that investigations into a reported information security incident are ongoing.

Concurrent with the announcement, First American on May 28, filed a Form 8-K, which is in accordance with U.S. Securities and Exchange Commission requirements. The Form 8-K discloses that the alleged information exposure was discovered by an individual who claimed to have had access to hundreds of millions of personal documents that were available due to a security lapse in one of First American’s customer web portal. This alleged information security incident was brought to the attention of First American by a cybersecurity expert who was in the process of publishing a related article on First American on May 27.

Immediately after learning of the alleged information security incident (and before the article was published), the company discontinued all external access to the application in question, and shortly thereafter, hired a forensic auditor to investigate the matter and filed the 8-K. To date, First American and its forensic auditor have found no evidence of a large-scale data breach and the company continues to work with its external partners to ensure that these and any related information technology security vulnerabilities have been resolved. In addition, First American is in discussion with various regulators, including the New York State Department of Financial Services.

AM Best is in discussions with First American and believes management is diligently working through this matter with its team and third-party providers. First American management believes they have identified and resolved these security weaknesses, and at this point, have found no evidence that exploitation of customer data (other than by the reporter and his source) or ransom attempts have occurred, nor have any signs of a massive security breach been identified.

While an incident such as this generally raises concerns regarding enterprise risk management controls, AM Best believes vulnerabilities to information security incidents like the one that allegedly has occurred at First American are universal and that insurers are not immune to potential IT security lapses. Being one of the largest title insurers in the United States, First American understands the importance of keeping personal records secure. Management has expressed a high degree of commitment to restoring customer confidence and ensuring that all customer information is safeguarded. Although incidents such as this can adversely affect a company’s brand and reputation, management has been in discussions with many of its key customers and envisions minimal impact to revenue. Since there has been no evidence of damages resulting from the information security incident, at this stage of its investigation, management views the financial impact from potential litigation to be immaterial.

First American has implemented remedial actions and is engaging third-party service providers to undertake a comprehensive review of the facts and circumstances around this weakness. AM Best plans to monitor this on an ongoing basis and discuss with management the forensic audit findings, as well as any recommendations adopted to enhance security and internal controls to ensure this vulnerability has been corrected.

The following companies are the members of the First American Title Insurance Group:

  •  First American Title Insurance Company
  • First American Title Insurance Company of Australia Pty Limited
  • First American Title Insurance Company of Louisiana
  • First Title Insurance plc
  • Ohio Bar Title Insurance Company

 


Contact ALTA at 202-296-3671 or [email protected].