Part 2: A New Wave of Cybersecurity Legislation Awaits Title Agents— What Is Required

toe-in-waterSouth Carolina was the first state to establish an adaptation of the Insurance Data Security Model Law.  That law, which is based on the NAIC Model Cybersecurity Act recently implemented by the National Association of Insurance Commissioners, offers solutions to address the threat of cyberattacks.  Since new legislation is likely to be similar to South Carolina’s Insurance Data Security Act (SC Act), our blog series will use that statute as a guide for outlining actions title agents should take in preparing for inevitable adoption of similar legislation in other states.

The SC Act goes into effect January 1, 2019.  It requires SC licensees (title agents) and domestic insurers to develop a “comprehensive, written information security program [ISP]” on or before July 1, 2019.   At first glance, the term ISP may seem generic and vague.  However, a thorough reading of the SC Act reveals a broad outline of a number of specific types of individual reports that must be included in the ISP (and even more detail about what must be included in each report).

These are not reports you merely copy and paste into your plan.   The required reports, and the itemized details therein, must demonstrate your intention to address the particular risks of a potential cyberattack or negligent mishandling of nonpublic personal information (NPI). Building an ISP will be a substantial undertaking for most title agents, requiring much time, resources, and effort.  The requirements are so vast that adherence to even a 14-month completion deadline could be challenging.

 

First Step– Risk Assessment

Developing an ISP requires you to start with a risk assessment. While this is a commonly understood term in the IT and cybersecurity world, it may be new to the vocabulary of most title agents.  In layman’s terms, risk assessment refers to a process that examines how your office operates while routinely conducting daily operations.

First, you should document sources of NPI data and where it is located and stored, then carefully analyze the possibilities of  “risk events,” or ways data could be improperly accessed.  The risk assessment process is a necessary step, as a completed ISP must specifically address what is being done to prevent– or at least minimize– the potential for the occurrence of identified risk events.

Once the risk assessment is completed, the next steps are to 1) categorize the likelihood of occurrence for each risk event, and 2) rank all identified risk events from most critical to minimal.  Risk can never be eliminated, but by categorizing the risk events from highest to lowest, one can begin to focus on minimizing the occurrence of those events that pose the greatest damage potential.

Sound easy? Hackers have the ability to break into all types of networks.  Understanding firewall security, reviewing breach attempt logs, and educating employees on how a simple mistake could improperly release client information is not something to take lightly– but is a necessity. However, few people in the title industry feel confident enough in taking this first step without professional guidance.

PYA’s team of information security professionals is focused on the title industry and can guide you through the process, assisting with the development of reports and plans necessary for ensuring compliance with these types of new statutory requirements.  Contact us to see how we can help.

 

Read Part 1: A New Wave of Cybersecurity Legislation May Await Title Insurance Agents

 

 

A New Wave of Cybersecurity Legislation May Await Title Insurance Agents

waveEvery state in the nation has a unique set of steps with which businesses must comply to provide notification when a hacker has gained unauthorized access to data via a breach of a network and/or email account.  But a new set of statutes will focus on what a title agent is required to do even before a breach occurs, by mandating procedures designed to minimize the chances that a client’s nonpublic personal information (NPI) will be subjected to a successful attack.

This is the first in a series of blogs designed to outline specific steps title agents should immediately take to prepare for the inevitable adoption of similar legislation likely to be passed in their states.

The most recent example of pre-breach legislation is South Carolina’s Insurance Data Protection Act, signed into law in early May 2018.  This statute is virtually identical to the NAIC Model Cybersecurity Act recently adopted by the National Association of Insurance Commissioners.  The NAIC act closely parallels the comprehensive, and first-in-the-nation, New York Department of Financial Services (DFS) Cybersecurity Requirements for Financial Services Companies regulation that took effect March 1, 2017.  The practices mandated by both the NAIC and New York laws track what are widely regarded as best practices in the information security community.  For that reason, as all states seek future legislative solutions to curb cyberattack threats, they are likely to adopt laws similar to these.

In addition, the South Carolina law makes it clear that cybersecurity is no longer an issue that solely falls on the shoulders of the IT department or outsourced IT service provider.  This legislation mandates that a firm’s senior management must be actively involved in the development of an “information security program.”  It further requires management to closely supervise its staff to ensure the written program is consistently employed and constantly modified to address new threats and any identified shortcomings in the current plan’s implementation.

But the South Carolina law is not only about security before a breach.  It also imposes new timelines and reporting requirements once one has determined to have sustained a “cybersecurity event.”  If a breach does occur, one must provide the Department of Insurance 13 statutorily mandated details surrounding each cyber event within 72 hours, in addition to notifying affected clients whose data has been compromised.

Once this type of law is passed, cybersecurity moves beyond mere “recommendations” from underwriters, clients, and land title associations.  All of these new requirements are dictated directly by the Department of Insurance, an entity that can revoke your license if you do not comply.  It is vital that you ensure that the third-party service providers you utilize document their compliance with the same high security standards.  When weighing title and settlement agent complaints about the difficulty of compliance against the insurance consumer’s reasonable expectation of privacy, it’s likely the Department of Insurance will side with the consumer.  Failure to comply likely will result in your inability to handle insurance transactions.

Compliance with the required steps involves processes and actions foreign to most title agents.  One must perform risk assessments and system vulnerability assessments and develop information security plans that include incident response plans and disaster recovery plans.  Once your plans are developed, you will be required to conduct gap analyses that will lead to remediation plans.  Behind each of these terms exists a set of specific requirements and processes that should be employed. Your ultimate compliance will likely require securing the assistance of a third party with an in-depth knowledge of both cybersecurity compliance and title and settlement business operations.

If you are a South Carolina title agent, you should begin taking these steps immediately, because the South Carolina Insurance Data Security Act is now the law with which you must comply.  The clock is already ticking toward upcoming compliance deadlines.

PYA has years of experience in helping title and settlement agents meet the evolving demands of lenders and regulators to protect client NPI.  PYA is the market leader in providing these unique services to the title community.  Let us know if we can help.

 

Additional resources:

  • Baker Hostetler’s state-by-state data breach law index
  • National Conference of State Legislators’ index to every state’s data breach legislation
  • SC Information Data Security Act Video

Defining ALTA Best Practice Approaches

As the American Land Title Association’s (ALTA) Best Practices are fast becoming an industry standard, it is important for title and settlement agents to understand the types of recognized engagements that accounting practitioners can perform and that mortgage lenders will accept. The American Institute of Certified Public Accountants (AICPA) released non-authoritative Technical Questions and Answers that describe four types of acknowledged engagements: examinations, reviews, agreed-upon procedures, and consulting engagements. Some lenders may also consider allowing a title agent’s self-certification in some instances.

PYA provides all the engagement types identified by the AICPA for, and on behalf of, title and settlement agents. The following table provides a comparison of each engagement type.

Defining Approaches Chart

 

 

New PYA White Paper: Framework Offers Companies Solution for Cybersecurity Risk for Title and Settlement Companies

Cybersecurity

PYA has released a white paper that discusses the importance of the AICPA’s cybersecurity risk management framework and System and Organization Controls for Cybersecurity in assessing the strength and effectiveness of cybersecurity risk management programs for title and settlement companies.

A new PYA white paper outlines the American Institute of Certified Public Accountants’ (AICPA) cybersecurity risk management framework and System and Organization Controls (SOC) for Cybersecurity, and the role they play in the development of an effective cybersecurity risk management program and the assessment of cybersecurity risk readiness for title and settlement companies.

A cybersecurity breach can result in tremendous financial loss—to the tune of millions of dollars—and reputational damage— sometimes fatal—for afflicted companies. To help mitigate the risk, the AICPA released a cybersecurity risk management reporting framework last year.  The framework is used as a reference point for independent certified public accountants (CPAs) to engage SOC reporting on the overall effectiveness of an organization’s cybersecurity risk management program.  The SOC for Cybersecurity, when combined with the Best Practices Framework developed by the American Land Title Association (ALTA) offers many benefits over a stand-alone Best Practices certification.

According to the white paper, “Alone, the ALTA Best Practices Certification does not include this level of detailed information…With a SOC for Cybersecurity Report, not only will lenders and customers of a title and settlement company be able to see the company’s entity-wide commitment to developing effective controls over cybersecurity, lenders and customers will also have the assurance of a CPA’s independent opinion on the description and effectiveness over the entity’s cybersecurity controls.”

PYA assists title and settlement companies by conducting SOC 2 and SOC cybersecurity risk management examinations; gap analysis to determine if an organization is ready for SOC 2 or SOC cybersecurity; and examinations to mitigate regulatory, financial, and reputational risks.