How the Title Industry Can Manage Cybersecurity Risk
EXCERPT: Not so long ago, cybersecurity was something title agents and underwriters considered the domain of the big banks and other high-profile financial institutions. Today, the mortgage and settlement services industry—like virtually every other industry—is clearly under attack.
Phishing scams targeting homebuyers have become so commonplace that the Federal Trade Commission (FTC) issued a warning earlier this year. Ransomware, which locks up the computer systems necessary to execute the time-sensitive mortgage transactions, are causing damage to title agents’ reputations—not to mention the reputations of the other entities involved in the transaction.
Perhaps most devastating for members of the title industry is wire transfer fraud. In the case of one California escrow firm, a series of fraudulent wire transfers to the tune of $1.1 million brought about the downfall of the company. Even if a title agent or escrow firm manages to survive such a cyber attack, the company is almost certain to be considered toxic by underwriters who would have to make those losses whole.
Mortgage lenders increasingly are being scrutinized for their vendor management practices, and they demand assurance from their title agents about how they are protecting the non-public personal information (NPI) that they store or access.
As a result of these emerging cyber risks, title agents have simple questions that demand simple, straightforward answers:
- How do we protect our business from cyber threats?
- What do we need to do to comply with financial industry regulations?
- How do we maintain our banking and underwriting relationships by providing the information these stakeholders need?
What About ALTA Best Practices Compliance?
ALTA Best Practices Pillar 3 calls for a comprehensive written privacy and security risk management program, as do federal and state laws such as the FTC’s Privacy and Safeguards Rules.
But what exactly does such a risk management program look like and entail? Pillar 3 says that “the program must be appropriate to the Company’s size and complexity, the nature and scope of Company’s activities, and the sensitivity of the customer information Company handles.” In addition, the program should evolve as the company’s circumstances do.
So how does an organization—especially a company the size of the thousands of small title agencies—go about designing this “appropriate security risk management program?”