Part 2: A New Wave of Cybersecurity Legislation Awaits Title Agents— What Is Required

South Carolina was the first state to establish an adaptation of the Insurance Data Security Model Law. That law, which is based on the NAIC Model Cybersecurity Act recently implemented by the National Association of Insurance Commissioners, offers solutions to address the threat of cyberattacks. Since new legislation is likely to be similar to South Carolina’s Insurance Data Security Act (SC Act), our blog series will use that statute as a guide for outlining actions title agents should take in preparing for inevitable adoption of similar legislation in other states.

A New Wave of Cybersecurity Legislation May Await Title Insurance Agents

Every state in the nation has a unique set of steps with which businesses must comply to provide notification when a hacker has gained unauthorized access to data via a breach of a network and/or email account. But a new set of statutes will focus on what a title agent is required to do even before a breach occurs, by mandating procedures designed to minimize the chances that a client’s nonpublic personal information (NPI) will be subjected to a successful attack.

Defining ALTA Best Practice Approaches

As the American Land Title Association’s (ALTA) Best Practices are fast becoming an industry standard, it is important for title and settlement agents to understand the types of recognized engagements that accounting practitioners can perform and that mortgage lenders will accept. The American Institute of Certified Public Accountants (AICPA) released non-authoritative Technical Questions and Answers that describe four types of acknowledged engagements: examinations, reviews, agreed-upon procedures, and consulting engagements. Some lenders may also consider allowing a title agent’s self-certification in some instances.

PYA provides all the engagement types identified by the AICPA for, and on behalf of, title and settlement agents. The following table provides a comparison of each engagement type.

Defining Approaches Chart

 

 

New PYA White Paper: Framework Offers Companies Solution for Cybersecurity Risk for Title and Settlement Companies

Cybersecurity

PYA has released a white paper that discusses the importance of the AICPA’s cybersecurity risk management framework and System and Organization Controls for Cybersecurity in assessing the strength and effectiveness of cybersecurity risk management programs for title and settlement companies.

A new PYA white paper outlines the American Institute of Certified Public Accountants’ (AICPA) cybersecurity risk management framework and System and Organization Controls (SOC) for Cybersecurity, and the role they play in the development of an effective cybersecurity risk management program and the assessment of cybersecurity risk readiness for title and settlement companies.

A cybersecurity breach can result in tremendous financial loss—to the tune of millions of dollars—and reputational damage— sometimes fatal—for afflicted companies. To help mitigate the risk, the AICPA released a cybersecurity risk management reporting framework last year.  The framework is used as a reference point for independent certified public accountants (CPAs) to engage SOC reporting on the overall effectiveness of an organization’s cybersecurity risk management program.  The SOC for Cybersecurity, when combined with the Best Practices Framework developed by the American Land Title Association (ALTA) offers many benefits over a stand-alone Best Practices certification.

According to the white paper, “Alone, the ALTA Best Practices Certification does not include this level of detailed information…With a SOC for Cybersecurity Report, not only will lenders and customers of a title and settlement company be able to see the company’s entity-wide commitment to developing effective controls over cybersecurity, lenders and customers will also have the assurance of a CPA’s independent opinion on the description and effectiveness over the entity’s cybersecurity controls.”

PYA assists title and settlement companies by conducting SOC 2 and SOC cybersecurity risk management examinations; gap analysis to determine if an organization is ready for SOC 2 or SOC cybersecurity; and examinations to mitigate regulatory, financial, and reputational risks.