Defining ALTA Best Practice Approaches

As the American Land Title Association’s (ALTA) Best Practices are fast becoming an industry standard, it is important for title and settlement agents to understand the types of recognized engagements that accounting practitioners can perform and that mortgage lenders will accept. The American Institute of Certified Public Accountants (AICPA) released non-authoritative Technical Questions and Answers that describe four types of acknowledged engagements: examinations, reviews, agreed-upon procedures, and consulting engagements. Some lenders may also consider allowing a title agent’s self-certification in some instances.

PYA provides all the engagement types identified by the AICPA for, and on behalf of, title and settlement agents. The following table provides a comparison of each engagement type.

Defining Approaches Chart



New PYA White Paper: Framework Offers Companies Solution for Cybersecurity Risk for Title and Settlement Companies


PYA has released a white paper that discusses the importance of the AICPA’s cybersecurity risk management framework and System and Organization Controls for Cybersecurity in assessing the strength and effectiveness of cybersecurity risk management programs for title and settlement companies.

A new PYA white paper outlines the American Institute of Certified Public Accountants’ (AICPA) cybersecurity risk management framework and System and Organization Controls (SOC) for Cybersecurity, and the role they play in the development of an effective cybersecurity risk management program and the assessment of cybersecurity risk readiness for title and settlement companies.

A cybersecurity breach can result in tremendous financial loss—to the tune of millions of dollars—and reputational damage— sometimes fatal—for afflicted companies. To help mitigate the risk, the AICPA released a cybersecurity risk management reporting framework last year.  The framework is used as a reference point for independent certified public accountants (CPAs) to engage SOC reporting on the overall effectiveness of an organization’s cybersecurity risk management program.  The SOC for Cybersecurity, when combined with the Best Practices Framework developed by the American Land Title Association (ALTA) offers many benefits over a stand-alone Best Practices certification.

According to the white paper, “Alone, the ALTA Best Practices Certification does not include this level of detailed information…With a SOC for Cybersecurity Report, not only will lenders and customers of a title and settlement company be able to see the company’s entity-wide commitment to developing effective controls over cybersecurity, lenders and customers will also have the assurance of a CPA’s independent opinion on the description and effectiveness over the entity’s cybersecurity controls.”

PYA assists title and settlement companies by conducting SOC 2 and SOC cybersecurity risk management examinations; gap analysis to determine if an organization is ready for SOC 2 or SOC cybersecurity; and examinations to mitigate regulatory, financial, and reputational risks.

PYA Title Industry Thought Leader to Facilitate ALTA Springboard Roundtable Discussions

Debra Gentry, director of PYA’s ALTA Best Practices Services Group, will serve for the second consecutive year as a roundtable discussion facilitator on the American Land Title Association’s (ALTA) 2018 Springboard. The Springboard is an opportunity for title insurance and settlement industry professionals to network, attend informative sessions, and utilize “braindates,” an innovative platform for ALTA attendees to customize their experience.

Debra will lead a roundtable talk on “Finding Your Rhythm,” guiding positive discussion, encouraging dialogue, and contributing to the conversation with an eye on solving industry problems. She will also facilitate discussions during the “Ideas Festival,” covering topics such as:

  • Customer Experience
  • Digital Closings
  • Wire Transfer Fraud

Additionally, Debra will host two braindate information sessions: “Is Your SOCs Drawer in Order? SOC Cybersecurity and Other Cybersecurity Issues” and “Training Staff? Who, What, When and Where?”

The Springboard takes place March 20-21, 2018, in Atlanta, Georgia. Learn more and register.

For more information on ALTA Best Practices or SOCs compliance and risk management programs, or to request a speaker on these topics for your organization or event, contact one of our PYA executives below at (800) 270-9629.

Heeding Momma’s advice, or dealing with the consequences

advice-from-mom-300x176When we were children, our mothers told us to “eat a good breakfast,” “always eat your vegetables,” and “get plenty of exercise.”  As we grew older, their advice focused on more important life choices such as “don’t do drugs,” “don’t exceed the speed limit,” and “don’t hang out with the wrong crowd.”  Our mothers didn’t dispense this advice just to make our lives more difficult.  To the contrary, this advice was offered in hopes we could avoid the inevitable ill consequences that arise from not following such advice.

But, now we’re in the business world, and as title executives, we encounter things our mommas never taught us.  So, we must draw from all legitimate available resources in structuring our business dealings for best possible outcomes.  In this blog, we’ll cover some cybersecurity tips and best practices advice our mothers could never have anticipated.

Advice your momma never gave you

While our moms provided a plethora of guidance for our personal lifestyles, lawyers, industry regulators, judges, and other professionals are whom we must look to as sources of behavioral business advice.   Even then, despite our best efforts, we must anticipate and prepare for consequences resulting from any missteps or situations beyond our control.

In light of the recent “misdirected wire transfer scams” and “ransomware attacks,”  it’s important we seek sound advice to avoid becoming a victim of cyber criminals.  PYA Information Technology Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant says, “Accepting a verbal confirmation that your systems are patched and up-to-date is an unacceptable form of management.  Senior leadership should require vulnerability scans and reports that show the status of all devices in the network.   It’s not just about ransomware, it’s about the vulnerability of the device.  When it comes to cybersecurity, a single hole could sink the entire ship.”  Mathis recently authored a blog, “‘WannaCry’— Actions Your Healthcare IT Professional Wants You to Take Now,”  for healthcare providers that offers some important tips also applicable to other industries.

Another recent blog, “8 Steps to Avoid Being the Victim of the Next Ransomware Attack,”  from Morrison & Foerster LLP, offers good advice that title agencies and law firms should employ to minimize this risk, including:

  1. Making sure software patches are routinely applied.
  2. Using only supported operating systems and other software, if possible.
  3. Using anti-malware and anti-virus software tools and services.
  4. Backing up critical data.
  5. Training employees to spot phishing emails.
  6. Creating a cross-functional incident response plan.
  7. Practicing response to a ransomware attack in a table-top exercise in order to “hit the ground running” when this type of event occurs.
  8. Establishing or enhancing relationships with law enforcement and other critical partners.

A slightly longer list of recommendations appears in a free, easy-to-follow e-book written by attorney Brian Focth, “12 Steps for Cybersecurity: A Guide for Law Firms.”  None of these suggested actions are particularly difficult to implement, and just like following your momma’s lifestyle advice, you would be much better off taking these simple steps.

Simple, eh?  Despite our best efforts, we’ll likely stray from well-reasoned business advice and fail to perform one or more recommended actions.  But, even more troubling, is that even 100% completion of each recommended action is no guarantee that a cyberattack won’t happen.  And for that, we must prepare for any consequences.  In this business context, cyber-insurance coverage is one of your best defenses.

Protecting against inevitable consequences will require some investigation

The challenge is that while most businesses already have “professional liability” and “general commercial liability” policies in place, most don’t know what is actually covered or excluded under those policies.  Remember that, although you paid a premium for protection against a series of different risks, you can only be sure that the risks you want covered are in fact covered by carefully reading each policy.  Here’s another piece of advice worth following: “Read your policies before you have a loss incident.”

This is where some business advice is really needed.  Many business owners ask, “If I read an insurance policy, what should I look for?”  A helpful blog on this topic, “No More Tears: Insurance Coverage For The ‘WannaCry’ Ransomware Attack,” was recently published by Tyrone R. Childress, Richard DeNatale, and Jason B. Lissy, all lawyers with the Jones Day law firm.  The blog notes that of the approximately 70+ cybersecurity insurance carriers offering cybersecurity policies, none are the same.  As a result, any policy you have, and any that you are proposing to secure, should be carefully evaluated to ensure coverage of the specific risks for which you are concerned.  Many of the policies will not address specific risks, or will exclude coverage for certain risks, but insurers point out that, in most cases, these policies can be customized to meet your needs through available endorsements that add coverage or delete exclusions.

My advice is to become familiar with the variety of both first-party and third-party coverages that carriers offer so you know what to look for and what to ask for if it is not covered.  A great resource for understanding and evaluating the types of coverages and policies available is an article, “Cyber Insurance for Law Firms,” written by Jeffrey A. Franklin, Esq., in the May/June 2016 issue of GPSolo, an American Bar Association publication.

Overlooked benefit to implementing recommended cybersecurity measures

Finally, you must remember that policy premiums vary, based upon the carrier’s assessment of its risk of loss.  Just like a life insurance carrier is going to charge more for a person with diabetes and high blood pressure, a cyber insurance carrier is going to charge more for those who can’t provide proof of having: timely applied software patch updates, conducted adequate staff training for detecting phishing attacks, or implemented security safeguards such as use of strong passwords.  Your ability to demonstrate that your office exercises industry Best Practices, like those covered in Pillar 3 of ALTA Best Practices, will have a significant impact on what you pay for needed coverage.

If you are serious about doing all you can to avoid becoming a victim of cybercrime, adopting and actually implementing the procedures outlined in Pillar 3 of ALTA Best Practices is the best tactic you can employ.  However, even this can’t ensure you won’t become a victim.  Securing a broad-based cyber insurance policy providing protection against financial loss is your next best hedge against this ever-present risk.  However, you can maximize these efforts by achieving a certification of compliance through a qualified, independent third party.  By taking this additional step, you can earn a substantial discount on the premiums charged by the cyber-insurance carrier and use this discount to defray the cost of the certification.  In the end, successfully completing an assessment for compliance with ALTA Best Practices can not only demonstrate the desirability of your firm to lenders, but help you substantially minimize the cost of protection and any actual financial loss that will arise when a cyber-attack on your firm inevitably occurs.

In conclusion, there are three excellent reasons you should consider securing a Best Practices certification of compliance:

  1. You can minimize many of the dire consequences that naturally arise from failing to completely follow good industry advice.
  2. You can achieve substantial savings on the costs of cyber insurance.
  3. Your momma would be proud of such a decision.