First American Financial Corp - (FAF)
10-K Filing Date: February 21, 2024
We recognize the critical importance of maintaining the safety and security of our systems and data and take a holistic approach to overseeing and managing cybersecurity, which is supported by both management and our Board of Directors. The Company’s Board, the Audit Committee of the Board and management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our approach to cybersecurity risk management is multi-layered and includes governance and risk, monitoring and incidence response, data security, application security, endpoint security, network security and perimeter security.
The Company’s Chief Information Security Officer (“CISO”) is responsible for developing and implementing our information security program and manages a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Our CISO has been with the Company for 13 years in various information security roles and has over 20 years of experience in the cybersecurity field.
The Company’s Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee of the Board. The Audit Committee receives quarterly reports from our CISO regarding cybersecurity matters. The CISO also briefs the full Board of Directors on cybersecurity matters semi-annually.
The Company maintains an extensive and structured enterprise risk management (ERM) program encompassing senior executive leaders from all facets of its business, including operations, human resources, finance, accounting, treasury, information security, information technology, legal/regulatory, internal audit, compliance, underwriting, and real estate. As part of our ERM program, the Company maintains an Information Security Oversight Committee (“ISO Committee”) that oversees the Company’s cybersecurity program from a management perspective. The ISO Committee meets quarterly and is chaired by the Company’s Chief Risk Officer and is comprised of the Company’s Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Privacy Officer and top leaders of each of the Company’s operating units. The Company’s CISO, Chief Information Officer and Chief Technology Officer are also participants on the ISO Committee and the Chief Audit Executive, who reports to the Company’s Audit Committee, is an observer. The CISO provides regular reports to the ISO Committee which are shared with the Company’s Board of Directors.
23
As part of our risk management process, the Company maintains an overall risk management program that encompasses cybersecurity, conducts security audits, annual System and Organization Controls (SOC 2) testing, and ongoing risk assessments using a company-wide risk framework. We also require employees with access to information systems to undertake data protection and cybersecurity training and compliance programs. Compliance with cybersecurity training is tracked and reported to the Company’s Compliance Executive Steering Committee and the Audit Committee of the Board. In addition, the Company conducts quarterly employee phishing tests and our CISO provides those results to the Company’s executives. The Company has processes in place for assessing, identifying, and managing material risks from potential cybersecurity incidents, including vulnerability identification, intrusion prevention, encryption, endpoint protection, behavior analysis, mitigation and the processes and protocols set forth in the Company’s incident response plans. Certain of our subsidiaries manage their own cybersecurity functions and coordinate with the Company’s CISO. The Company also employs systems and processes designed to oversee and identify cybersecurity threats associated with third-party vendors, including a risk assessment and rigorous evaluation of each vendor that may access, process or store highly sensitive or proprietary data or that is systematically integrated with the Company’s systems or network. In addition to our in-house cybersecurity capabilities, we engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, mitigating and managing cybersecurity risks, including the maintenance of a Security Operations Center that is co-managed between the Company and a managed security service provider (MSSP), which continuously reviews the Company’s network using threat intelligence from a variety of sources and reports potential incidents from users.
While the Company has experienced cybersecurity threats to its data and systems, such threats have not materially affected the Company, including our business strategy, results of operations or financial condition, with the exception of an incident in the fourth quarter of 2023, as disclosed in a Current Report filed by the Company on Form 8-K on December 22, as amended on December 29, 2023 and January 12, 2024. Prior to the Company’s systems being taken offline in connection with this incident, we produced an internal forecast estimating our adjusted earnings per share to be $1.00. Our actual adjusted earnings per share was 69 cents, including a 5 cent tax benefit, implying a 36 cent shortfall relative to our internal estimate. Although the Company believes that most of this difference is related to the incident, the exact impact the incident had on our fourth quarter results is unknowable. Included in this 36 cent shortfall was $11 million of direct expenses related to the incident in our corporate segment including our $5 million insurance retention. We do not believe the incident will have a material impact on the Company’s overall financial condition or its ongoing results of operations. For additional information on cybersecurity risks we face, see Item 1A. Risk Factors of this Annual Report, which should be read in conjunction with the foregoing information.