Part 2: A New Wave of Cybersecurity Legislation Awaits Title Agents— What Is Required

toe-in-waterSouth Carolina was the first state to establish an adaptation of the Insurance Data Security Model Law.  That law, which is based on the NAIC Model Cybersecurity Act recently implemented by the National Association of Insurance Commissioners, offers solutions to address the threat of cyberattacks.  Since new legislation is likely to be similar to South Carolina’s Insurance Data Security Act (SC Act), our blog series will use that statute as a guide for outlining actions title agents should take in preparing for inevitable adoption of similar legislation in other states.

The SC Act goes into effect January 1, 2019.  It requires SC licensees (title agents) and domestic insurers to develop a “comprehensive, written information security program [ISP]” on or before July 1, 2019.   At first glance, the term ISP may seem generic and vague.  However, a thorough reading of the SC Act reveals a broad outline of a number of specific types of individual reports that must be included in the ISP (and even more detail about what must be included in each report).

These are not reports you merely copy and paste into your plan.   The required reports, and the itemized details therein, must demonstrate your intention to address the particular risks of a potential cyberattack or negligent mishandling of nonpublic personal information (NPI). Building an ISP will be a substantial undertaking for most title agents, requiring much time, resources, and effort.  The requirements are so vast that adherence to even a 14-month completion deadline could be challenging.

 

First Step– Risk Assessment

Developing an ISP requires you to start with a risk assessment. While this is a commonly understood term in the IT and cybersecurity world, it may be new to the vocabulary of most title agents.  In layman’s terms, risk assessment refers to a process that examines how your office operates while routinely conducting daily operations.

First, you should document sources of NPI data and where it is located and stored, then carefully analyze the possibilities of  “risk events,” or ways data could be improperly accessed.  The risk assessment process is a necessary step, as a completed ISP must specifically address what is being done to prevent– or at least minimize– the potential for the occurrence of identified risk events.

Once the risk assessment is completed, the next steps are to 1) categorize the likelihood of occurrence for each risk event, and 2) rank all identified risk events from most critical to minimal.  Risk can never be eliminated, but by categorizing the risk events from highest to lowest, one can begin to focus on minimizing the occurrence of those events that pose the greatest damage potential.

Sound easy? Hackers have the ability to break into all types of networks.  Understanding firewall security, reviewing breach attempt logs, and educating employees on how a simple mistake could improperly release client information is not something to take lightly– but is a necessity. However, few people in the title industry feel confident enough in taking this first step without professional guidance.

PYA’s team of information security professionals is focused on the title industry and can guide you through the process, assisting with the development of reports and plans necessary for ensuring compliance with these types of new statutory requirements.  Contact us to see how we can help.

 

Read Part 1: A New Wave of Cybersecurity Legislation May Await Title Insurance Agents

 

 

A New Wave of Cybersecurity Legislation May Await Title Insurance Agents

waveEvery state in the nation has a unique set of steps with which businesses must comply to provide notification when a hacker has gained unauthorized access to data via a breach of a network and/or email account.  But a new set of statutes will focus on what a title agent is required to do even before a breach occurs, by mandating procedures designed to minimize the chances that a client’s nonpublic personal information (NPI) will be subjected to a successful attack.

This is the first in a series of blogs designed to outline specific steps title agents should immediately take to prepare for the inevitable adoption of similar legislation likely to be passed in their states.

The most recent example of pre-breach legislation is South Carolina’s Insurance Data Protection Act, signed into law in early May 2018.  This statute is virtually identical to the NAIC Model Cybersecurity Act recently adopted by the National Association of Insurance Commissioners.  The NAIC act closely parallels the comprehensive, and first-in-the-nation, New York Department of Financial Services (DFS) Cybersecurity Requirements for Financial Services Companies regulation that took effect March 1, 2017.  The practices mandated by both the NAIC and New York laws track what are widely regarded as best practices in the information security community.  For that reason, as all states seek future legislative solutions to curb cyberattack threats, they are likely to adopt laws similar to these.

In addition, the South Carolina law makes it clear that cybersecurity is no longer an issue that solely falls on the shoulders of the IT department or outsourced IT service provider.  This legislation mandates that a firm’s senior management must be actively involved in the development of an “information security program.”  It further requires management to closely supervise its staff to ensure the written program is consistently employed and constantly modified to address new threats and any identified shortcomings in the current plan’s implementation.

But the South Carolina law is not only about security before a breach.  It also imposes new timelines and reporting requirements once one has determined to have sustained a “cybersecurity event.”  If a breach does occur, one must provide the Department of Insurance 13 statutorily mandated details surrounding each cyber event within 72 hours, in addition to notifying affected clients whose data has been compromised.

Once this type of law is passed, cybersecurity moves beyond mere “recommendations” from underwriters, clients, and land title associations.  All of these new requirements are dictated directly by the Department of Insurance, an entity that can revoke your license if you do not comply.  It is vital that you ensure that the third-party service providers you utilize document their compliance with the same high security standards.  When weighing title and settlement agent complaints about the difficulty of compliance against the insurance consumer’s reasonable expectation of privacy, it’s likely the Department of Insurance will side with the consumer.  Failure to comply likely will result in your inability to handle insurance transactions.

Compliance with the required steps involves processes and actions foreign to most title agents.  One must perform risk assessments and system vulnerability assessments and develop information security plans that include incident response plans and disaster recovery plans.  Once your plans are developed, you will be required to conduct gap analyses that will lead to remediation plans.  Behind each of these terms exists a set of specific requirements and processes that should be employed. Your ultimate compliance will likely require securing the assistance of a third party with an in-depth knowledge of both cybersecurity compliance and title and settlement business operations.

If you are a South Carolina title agent, you should begin taking these steps immediately, because the South Carolina Insurance Data Security Act is now the law with which you must comply.  The clock is already ticking toward upcoming compliance deadlines.

PYA has years of experience in helping title and settlement agents meet the evolving demands of lenders and regulators to protect client NPI.  PYA is the market leader in providing these unique services to the title community.  Let us know if we can help.

 

Additional resources:

  • Baker Hostetler’s state-by-state data breach law index
  • National Conference of State Legislators’ index to every state’s data breach legislation
  • SC Information Data Security Act Video

Heeding Momma’s advice, or dealing with the consequences

advice-from-mom-300x176When we were children, our mothers told us to “eat a good breakfast,” “always eat your vegetables,” and “get plenty of exercise.”  As we grew older, their advice focused on more important life choices such as “don’t do drugs,” “don’t exceed the speed limit,” and “don’t hang out with the wrong crowd.”  Our mothers didn’t dispense this advice just to make our lives more difficult.  To the contrary, this advice was offered in hopes we could avoid the inevitable ill consequences that arise from not following such advice.

But, now we’re in the business world, and as title executives, we encounter things our mommas never taught us.  So, we must draw from all legitimate available resources in structuring our business dealings for best possible outcomes.  In this blog, we’ll cover some cybersecurity tips and best practices advice our mothers could never have anticipated.

Advice your momma never gave you

While our moms provided a plethora of guidance for our personal lifestyles, lawyers, industry regulators, judges, and other professionals are whom we must look to as sources of behavioral business advice.   Even then, despite our best efforts, we must anticipate and prepare for consequences resulting from any missteps or situations beyond our control.

In light of the recent “misdirected wire transfer scams” and “ransomware attacks,”  it’s important we seek sound advice to avoid becoming a victim of cyber criminals.  PYA Information Technology Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant says, “Accepting a verbal confirmation that your systems are patched and up-to-date is an unacceptable form of management.  Senior leadership should require vulnerability scans and reports that show the status of all devices in the network.   It’s not just about ransomware, it’s about the vulnerability of the device.  When it comes to cybersecurity, a single hole could sink the entire ship.”  Mathis recently authored a blog, “‘WannaCry’— Actions Your Healthcare IT Professional Wants You to Take Now,”  for healthcare providers that offers some important tips also applicable to other industries.

Another recent blog, “8 Steps to Avoid Being the Victim of the Next Ransomware Attack,”  from Morrison & Foerster LLP, offers good advice that title agencies and law firms should employ to minimize this risk, including:

  1. Making sure software patches are routinely applied.
  2. Using only supported operating systems and other software, if possible.
  3. Using anti-malware and anti-virus software tools and services.
  4. Backing up critical data.
  5. Training employees to spot phishing emails.
  6. Creating a cross-functional incident response plan.
  7. Practicing response to a ransomware attack in a table-top exercise in order to “hit the ground running” when this type of event occurs.
  8. Establishing or enhancing relationships with law enforcement and other critical partners.

A slightly longer list of recommendations appears in a free, easy-to-follow e-book written by attorney Brian Focth, “12 Steps for Cybersecurity: A Guide for Law Firms.”  None of these suggested actions are particularly difficult to implement, and just like following your momma’s lifestyle advice, you would be much better off taking these simple steps.

Simple, eh?  Despite our best efforts, we’ll likely stray from well-reasoned business advice and fail to perform one or more recommended actions.  But, even more troubling, is that even 100% completion of each recommended action is no guarantee that a cyberattack won’t happen.  And for that, we must prepare for any consequences.  In this business context, cyber-insurance coverage is one of your best defenses.

Protecting against inevitable consequences will require some investigation

The challenge is that while most businesses already have “professional liability” and “general commercial liability” policies in place, most don’t know what is actually covered or excluded under those policies.  Remember that, although you paid a premium for protection against a series of different risks, you can only be sure that the risks you want covered are in fact covered by carefully reading each policy.  Here’s another piece of advice worth following: “Read your policies before you have a loss incident.”

This is where some business advice is really needed.  Many business owners ask, “If I read an insurance policy, what should I look for?”  A helpful blog on this topic, “No More Tears: Insurance Coverage For The ‘WannaCry’ Ransomware Attack,” was recently published by Tyrone R. Childress, Richard DeNatale, and Jason B. Lissy, all lawyers with the Jones Day law firm.  The blog notes that of the approximately 70+ cybersecurity insurance carriers offering cybersecurity policies, none are the same.  As a result, any policy you have, and any that you are proposing to secure, should be carefully evaluated to ensure coverage of the specific risks for which you are concerned.  Many of the policies will not address specific risks, or will exclude coverage for certain risks, but insurers point out that, in most cases, these policies can be customized to meet your needs through available endorsements that add coverage or delete exclusions.

My advice is to become familiar with the variety of both first-party and third-party coverages that carriers offer so you know what to look for and what to ask for if it is not covered.  A great resource for understanding and evaluating the types of coverages and policies available is an article, “Cyber Insurance for Law Firms,” written by Jeffrey A. Franklin, Esq., in the May/June 2016 issue of GPSolo, an American Bar Association publication.

Overlooked benefit to implementing recommended cybersecurity measures

Finally, you must remember that policy premiums vary, based upon the carrier’s assessment of its risk of loss.  Just like a life insurance carrier is going to charge more for a person with diabetes and high blood pressure, a cyber insurance carrier is going to charge more for those who can’t provide proof of having: timely applied software patch updates, conducted adequate staff training for detecting phishing attacks, or implemented security safeguards such as use of strong passwords.  Your ability to demonstrate that your office exercises industry Best Practices, like those covered in Pillar 3 of ALTA Best Practices, will have a significant impact on what you pay for needed coverage.

If you are serious about doing all you can to avoid becoming a victim of cybercrime, adopting and actually implementing the procedures outlined in Pillar 3 of ALTA Best Practices is the best tactic you can employ.  However, even this can’t ensure you won’t become a victim.  Securing a broad-based cyber insurance policy providing protection against financial loss is your next best hedge against this ever-present risk.  However, you can maximize these efforts by achieving a certification of compliance through a qualified, independent third party.  By taking this additional step, you can earn a substantial discount on the premiums charged by the cyber-insurance carrier and use this discount to defray the cost of the certification.  In the end, successfully completing an assessment for compliance with ALTA Best Practices can not only demonstrate the desirability of your firm to lenders, but help you substantially minimize the cost of protection and any actual financial loss that will arise when a cyber-attack on your firm inevitably occurs.

In conclusion, there are three excellent reasons you should consider securing a Best Practices certification of compliance:

  1. You can minimize many of the dire consequences that naturally arise from failing to completely follow good industry advice.
  2. You can achieve substantial savings on the costs of cyber insurance.
  3. Your momma would be proud of such a decision.

CFPB to Examine Service Providers—Are You Affected? June 13 Webinar Has Answers!

Lightbulb2A recent blog by law firm Ballard Spahr reports the Consumer Financial Protection Bureau (CFPB) has begun to examine service providers on a regular, systematic basis, particularly those supporting the mortgage industry.  The blog recounts information provided by the CFPB during an American Bar Association (ABA) Business Law Section meeting held May 7, 2017, stating: “The change represents a significant expansion of the CFPB’s use of its supervisory authority and will substantially increase the number and types of entities facing CFPB examinations.”  To be fair, the blog does not specifically mention law firms or title and settlement agencies, but both law firms and title agencies are groups that clearly fall into the category of service providers “supporting the mortgage industry.”

Fortunately, there will be an opportunity to hear more detail about whether title and settlement agents will be subject to increased supervision.  Ballard Spahr is conducting a free webinar June 13, 2017, from 12-1 p.m. (ET) which could provide an opportunity to specifically ask such questions.

For further background on this topic prior to the webinar, carefully read the CFPB’s Bulletin 2012-04, “CFPB to Hold Financial Institutions and Their Service Providers Accountable.”  As is obvious from the title of this five-year-old bulletin, the 2017 announcement to directly examine third-party vendors is not an announcement of new policy, but clarification of how the CFPB intends to implement its longstanding policy to hold third parties accountable.

Read more