Page last updated on February 21, 2025
First American Financial Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 19:45:37 EST.
Company Summary
First American Financial Corporation is an American financial services company which provides title insurance and settlement services to the real estate and mortgage industries.
The First American Family of Companies’s core business lines include title insurance and closing/settlement services; title plant management services; title and other real property records and images; valuation products and services; home warranty products; property and casualty insurance; and banking, trust and investment advisory services. With total revenue of $5.8 billion in 2017, the company offers its products and services directly and through agents.
In June 2010, First American Financial Corporation was established when First American split its businesses to create First American Financial Corporation which provides title and settlement services to the real estate and mortgage industry, and CoreLogic, specializing in real estate information.
Filings
10-K filed on 2025-02-20
First American Financial Corp filed a 10-K at 2025-02-20 19:45:37 EST
Accession Number: 0000950170-25-024488
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity We recognize the critical importance of maintaining the safety and security of our systems and data and take a holistic approach to overseeing and managing cybersecurity, which is supported by both management and our Board of Directors. The Company’s Board, the Audit Committee of the Board and management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our approach to cybersecurity risk management is multi-layered and includes governance and risk, monitoring and incidence response, data security, application security, endpoint security, network security and perimeter security. The Company’s Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee of the Board. The Audit Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) regarding cybersecurity matters. The CISO also briefs the full Board of Directors on cybersecurity matters semi-annually. The Company maintains an extensive and structured enterprise risk management (“ERM”) program encompassing senior executive leaders from all facets of its business, including operations, human resources, finance, accounting, treasury, information security, information technology, legal/regulatory, internal audit, compliance, underwriting, and real estate. As part of our ERM program, the Company maintains an Information Security Oversight Committee (“ISO Committee”) that oversees the Company’s cybersecurity program from a management perspective. The ISO Committee meets quarterly and is comprised of the Company’s Chief Executive Officer, Chief Financial Officer and Chief Legal Officer, whose relevant expertise and experience can be found in the Company’s Proxy Statement on Schedule 14A filed on April 1, 2024. The ISO Committee also includes the Co-Presidents of First American Title Insurance Company, the Vice-Chairman of our data and analytics business and the President of our international division, who bring deep operational experience specific to our businesses; the Chief Intellectual Property and Privacy Officer, who is responsible for protecting and advising on innovation, data privacy and intellectual property; and is chaired by the Company’s Chief Risk Officer, who has over 25 years of experience in risk management. The Company’s CISO and Chief Technology Officer (“CTO”) are participants on the ISO Committee. The Company’s CISO is primarily responsible for assessing and managing cybersecurity risks and threats and is responsible for developing and implementing our information security program, working closely with the ISO Committee. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity governance, cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Our CISO has been with the Company for 14 years in various information security leadership roles and has over 20 years of experience in the cybersecurity field. The CISO provides regular reports to the ISO Committee that are shared with the Company’s Board of Directors. The Company’s CTO is responsible for overseeing the Company’s overall technology strategy, including integrating security considerations into all aspects of our technology development. Our CTO has over 20 years of experience in technology management roles. As part of our risk management process, the Company maintains an overall risk management program that encompasses cybersecurity, conducts security audits, annual System and Organization Controls (“SOC 2”) testing, and ongoing risk assessments using a company-wide risk framework. We also require employees with access to information systems to undertake data protection and cybersecurity training. The Company has processes in place for assessing, identifying, and managing material risks from potential cybersecurity incidents, including vulnerability identification, intrusion prevention, encryption, endpoint protection, behavior analysis, mitigation and the processes and protocols set forth in the Company’s incident response plans. Certain of our subsidiaries manage their own cybersecurity functions and coordinate with the Company’s CISO. The Company also employs systems and processes designed to oversee and identify cybersecurity threats associated with third-party vendors, including a risk assessment and rigorous evaluation of each vendor that may access, process or store highly sensitive or proprietary data or that is systematically integrated with the Company’s systems or network . In addition to our in-house cybersecurity capabilities, we engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, mitigating and managing cybersecurity risks, including the maintenance of a Security Operations Center that is co-managed between the Company and a managed security service provider (“MSSP”), which continuously reviews the Company’s network using threat intelligence from a variety of sources and reports potential incidents from users. 24 While the Company has experienced cybersecurity threats to its data and systems, such threats have not materially affected the Company, including our business strategy, results of operations or financial condition, with the exception of an incident in the fourth quarter of 2023, as disclosed in a Current Report filed by the Company on Form 8-K on December 22, 2023, as amended on December 29, 2023 and January 12, 2024 and followed by a Current Report on Form 8-K on May 28, 2024. On June 21, 2024, the Company received a complaint, on a class action basis, relating to the incident in the fourth quarter of 2023. For additional information on cybersecurity risks we face, see Item 1A. Risk Factors of this Annual Report, which should be read in conjunction with the foregoing information.
Company Information
| Name | First American Financial Corp |
| CIK | 0001472787 |
| SIC Description | Title Insurance |
| Ticker | FAF - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |