By Dan Schroeder and Adam Klein
Not so long ago, cybersecurity was something title agents and underwriters considered the domain of the big banks and other high-profile financial institutions. Today, the mortgage and settlement services industry—like virtually every other industry—is clearly under attack.
Phishing scams targeting homebuyers have become so commonplace that the Federal Trade Commission (FTC) issued a warning earlier this year. Ransomware, which locks up the computer systems necessary to execute the time-sensitive mortgage transactions, are causing damage to title agents’ reputations—not to mention the reputations of the other entities involved in the transaction.
Perhaps most devastating for members of the title industry is wire transfer fraud. In the case of one California escrow firm, a series of fraudulent wire transfers to the tune of $1.1 million brought about the downfall of the company. Even if a title agent or escrow firm manages to survive such a cyber attack, the company is almost certain to be considered toxic by underwriters who would have to make those losses whole.
Mortgage lenders increasingly are being scrutinized for their vendor management practices, and they demand assurance from their title agents about how they are protecting the non-public personal information (NPI) that they store or access.
As a result of these emerging cyber risks, title agents have simple questions that demand simple, straightforward answers:
- How do we protect our business from cyber threats?
- What do we need to do to comply with financial industry regulations?
- How do we maintain our banking and underwriting relationships by providing the information these stakeholders need?
What About ALTA Best Practices Compliance?
ALTA Best Practices Pillar 3 calls for a comprehensive written privacy and security risk management program, as do federal and state laws such as the FTC’s Privacy and Safeguards Rules.
But what exactly does such a risk management program look like and entail? Pillar 3 says that “the program must be appropriate to the Company’s size and complexity, the nature and scope of Company’s activities, and the sensitivity of the customer information Company handles.” In addition, the program should evolve as the company’s circumstances do.
So how does an organization—especially a company the size of the thousands of small title agencies—go about designing this “appropriate security risk management program?”
A Roadmap to Cyber-Risk Management
The good news is that cyber risk management does not have to be complex—and, in fact, there is a roadmap for addressing it. This roadmap consists of the following critical tenets:
- Identify Digital Assets
Effective cyber risk managementbegins with understanding the relative value of the information that your business holds, and the business impact if those digital assets were compromised.
For title agents, those high-value digital assets are commonly regarded as:
- NPI on homebuyers and sellers
- banking credentials that provide access to escrow funds
- access to the company’s network and applications that can be prevented through ransomware
Compromise of any of these (or other) digital assets can cause significant financial, reputational and operational damage to the title agent, the escrow insurance company, the mortgage lender and the borrower.
- Understand the Threats andResultant Risks
Once we understand what we are protecting (i.e., digital assets), we can assess the real threats and risks to those assets.
For example, some of the threats to the digital assets described above include wire transfer fraud and phishing scams. The inherent risks might include loss of escrow funds, being found in breach of a bank contract and potential class action lawsuits brought by individuals whose information was compromised.
Any assessment of threats and risks must be done within the context of the title agent’s business model and industry. A model has been adopted by the financial industry to “help institutions identify their risks and determine their cybersecurity preparedness,” which can be tailored for the title industry. In 2015, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool (CAT), which consists of two parts:
- The Inherent Risk Profile helps management determine their exposure across a number of risk categories (for example, delivery channels and external threats) due to the organization’s specific activities, services and products.
- The Cybersecurity Maturity portion is designed to help management measure the institution’s level of cybersecurity preparedness, with levels ranging from baseline to innovative, within five domains (for example, cyber risk management and oversight, and cybersecurity controls).
The CAT model was designed to be specific to banks and is not a “plug-and-play” tool. However, using their discretion and their understanding of threats and risks to their business, title agents can use this model as a general guide to determine their inherent risk profile. That inherent risk profile, in turn, points to the type of risk management that is appropriate for the title agent and its banking and underwriting partners.
- Develop and Implement Appropriate Security Program
As you can see in the chart above, the minimum bar that organizations of any inherent risk level should be prepared to demonstrate is the level of “evolving” controls. Some examples of these controls include a formal cybersecurity program that is based on technology and security industry standards or benchmarks; incorporation of cyber risk identification, measurement, mitigation, monitoring and reporting into that program; and an annual review of the program by an appropriate board committee.
If the nature of the threats and risks demand more stringent controls, title agents can use the CAT as a roadmap to determine the steps required to improve their organization’s cybersecurity maturity and reduce its inherent risk profile.
- Ongoing Monitoring and Reporting
The final piece of this security program involves regular monitoring and reporting to drive improvement and provide the peace of mind that title agents are doing the right things to protect their valuable information and systems.
The risk-management approach outlined in this article can be leveraged to strengthen and enhance the ALTA best practices certification program, as well as other forms of assurance reporting, such as the AICPA’s SOC 2 reporting protocol.
Fulfill Banking Requirements, Protect the Business
Following the above roadmap and leveraging the FFIEC CAT, title agencies and their stakeholders are equipped to realistically assess the threats to their funds and NPI and appropriately manage those risks. Not only does this approach fulfill the intent behind Pillar 3, but it also meets or exceeds stringent banking vendor management requirements. nDan Schroeder is partner-in-charge of information risk management and assurance services, and Adam Klein is client relationship executive with HA&W, which is a CPA firm providing services to the title industry.
Dan Schroeder is partner-in-charge of information risk management and assurance services, and Adam Klein is client relationship executive with HA&W, which is a CPA firm providing services to the title industry.