Mortgage Software Solutions Blog

How New York’s Latest Cyber Security Law Will Impact You

sgfhj.jpgNew cyber security laws in New York mean strict accountability for businesses.

Cyber security is on the brink of an unprecedented crackdown in New York.

The finance industry is preparing for a new normal that looks vastly more stringent than before.

Part reaction to consumer outrage and part finger-pointing to the market for accountability when it comes to data breaches, the regulation titled Cybersecurity Requirements for Financial Services Companies (2017) is a broad re-draw of the rules by the state regulator.

In a country where the sector has historically played fast and loose with handling missteps, all eyes are watching to see how quickly it can adapt to the new normal.

As everyone settles in for the ride, industry insiders are already forming hypotheses about how far this new regimentation will reach.

Laying Down the Law

The new law outlining consumer data security measures in New York State is the first of its kind in the United States.

Officially released in March of 2017 with a built-in year of lag time, the enforcement date has arrived. As of Thursday February 15, 2018 enforcement is in full effect.

Financial institutions are expected to have stepped up their game in safeguarding computer systems and the sensitive information stored inside. A full guide to the highly prescriptive requirements can be found here.

The end goal is to avoiding security breaches by making businesses sufficiently fearful of repercussions. If they do foster an environment that allows for future problems or leaks of personal data, the stakes are high.

Who the Law Affects

The current law has been interpreted to include all banking, insurance, lending, and mortgage brokerage firms that are operating in New York. Every company under that heading will be held to the new standard.

This means that entities must get in gear to assess their actual and potential cybersecurity risks and make a solid plan to mitigate them.

The good news for IT departments is that due to the highly detailed guidelines about policy and the use of technology to patch up the security gaps, they have rather exact instructions to follow.

Beyond State Lines

At first glance, companies outside of New York might assume they have been spared from the harshest regulations in the country. After a closer look, it seems imminent that the change will have a wide-ranging impact.

Going forward, consumers will rely on their financial institutions to keep personal data safe. Not only are the expectations high, but the safety net sets the stage for demanding the same in other states.

Mortgage companies across the country are targeted by hackers due to the quantity of information and the quality of its use for fraud purposes. Companies outside of New York in the same industry should brace for the arrival of comparable laws on their home turf.  

Out-of-state entities with branches in New York should have a response as well, even before their own states begin drafting something similar.

In fact, other states are already following suit. Colorado and Vermont introduced their own measures within months after the NY regulation was put in place.

Vermont’s law names “securities professionals” as the intended subjects of its tighter regulations. Without specifying banks, the use of this broad term leaves the door open for enforcement with entities that may not previously fall under the state’s traditional regulation agencies.

As a global financial hub, even entities doing business in New York should consider getting the jump on re-assessing their policies as a continuity plan.

Beyond the Finance World

The effect of intensified scrutiny over cyber security practices will logically spill over to third-parties who work in the finance world and businesses who directly manage cyber security for the industry.

Fortune magazine goes one step further, predicting that ripple effect will go well beyond the financial industry. It could cover security events by any business that stores personal data “from point-of-sale to payroll providers.”

After that, it seems the industry shake-up will likely bleed into any major industry that houses consumer data using any sort of technology. These days, companies who aren’t keeping customer information in a computer system are few and far between.

The only thing the industry seems sure of is how this trend in accountability will not be contained by state lines or by industry.

In the early days of this new law’s enactment, the extent of this chain reaction is yet to be seen.

Over the next fiscal year, New Yorkers will lead the way, with countless gazes focused on them for cues of how to adapt.

ABT’s cloud-based portal MortgageWorkSpace adds banking level security to email, servers, PC’s and mobile devices in the mortgage industry. Contact us to learn more.


Topics: Compliance Due Diligence cyber security mortgage company security financial data security cybersecurity mortgage business mortgage industry Consumer Finance Protection Bureau Compliance for Mortgage Companies Compliance Audit cloud-based data Mortgage Lending 23 NYCRR Part 500 NYSDFS network safety

Business Data Security and Multi-Factor Authentication

 240_F_122590781_AfHycyjOI0sOqepiZ1DQVBYkZsH7qlRr.jpg Get an extra level of security with multi-factor authentication or MFA.

Each year, cybersecurity gets more complicated.

According to anti-virus developer Panda Security, the amount of malware created by cybercriminals is predicted to grow exponentially with each passing year.

Companies have to face the reality that a security breach has a serious impact on business.

To avoid the distress of company-wide damage control and a PR nightmare, it’s best to make sure security is in good shape.

Real Business Impact

For some businesses, consumer data handling is the main issue.

Financial institutions such as banks and mortgage companies are often targeted by hackers because they house the most personal information.

With major security failures like the Equifax breach of 2017 making international news, the finance industry’s cybersecurity worries are real.

More is at stake than information. A data breach can mean sales losses and a tarnished reputation that lasts for years.

From fines to fraud, there are monetary repercussions as well.

So what is the fastest way to tighten security on cloud-based and traditional networks?

Multi-Factor Authentication

Data breaches in single-factor authentication systems often exploit the system login credentials or passwords of users.

Multi-factor authentication or MFA is a group of security measures that go beyond the traditional password in order to correctly identify a person for system access.

MFA is becoming more prevalent in the financial industry. This kind of authentication was adopted by the Payment Card Industry Data Security Standard (PSI DSS) in February of 2017 and was listed as a standard for the mortgage industry in the State of New York in the same year.

Multiple factors mean heightened levels of information that only the user can provide.

These factors can be a number of different security measures. A “soft token” is when security software generates a one-time-use passcode sent to the user’s mobile device. This type of authentication can also be executed with a text message, phone call, or an email with a hyperlink.

Other factors run the gamut from predefined security questions to biometric identifiers like fingerprints or facial recognition software.

Only the correct user knows the information or is in the circumstance to receive the passcode, so using MFA means only the approved user is given access.

The Modern Office

Another issue with security is the modern office environment.

There are a growing number of remote workers. Employees want access to work-related applications from outside the office.

In this mobile workforce, employees are moving off of network-approved computers and onto personal or public machines. It’s up to the IT department to facilitate their work and make sure they go through a heightened level of security checks.

MFA is an authentication strategy that allows IT to deliver this level of remote access. It solves the problem of identifying recognized employees while maintaining a solid defense against intruders.

User Experience

The final consideration when implementing cybersecurity measures is user experience.

With higher scrutiny comes a higher level of annoyance by the employee at having to prove their authorization.

IT staffers need to balance security measures with user convenience.

One development that improves this balance is “adaptive” MFA. This security technology evaluates the risk factor of the user and then adapts the number of factors required for entry to the system.

An employee using a company-issued laptop at a café with an IP address across the street from headquarters is considered a low-risk access attempt. This situation does not require extra security measures.

On the other hand, if someone is trying to gain access on an unrecognized device in a location where the company doesn’t have an office (e.g. employee is attempting to do work on her tablet while vacationing in Bali) then the number of factors required will be at the maximum level. The employee jumps through some hoops, but with an understanding of why.


Data breaches are happening at the enterprise level at an alarming rate. A watchdog organization called Breach Level Index estimates that every second, an average of 57 records are stolen.

Employees are moving towards a more mobile work environment with wide geographic distribution.

For companies who handle consumer data, implementing MFA is simply one of the most effective ways to crack down on security violations and keep up with the modern workplace.

Businesses that use the MortgageWorkspace management software by ABT are protected by multi-factor authentication and a host of other cybersecurity measures. Contact us to learn more.

Topics: social networking safety phishing multi-factor authentication cloud storage mortgage business Compliance for Mortgage Companies Compliance Audit cloud-based data Housing Market Mortgage Lending

Guide to New York’s Cybersecurity Regulations

The deadline is less than a month away.

As February 15, 2018 draws near, financial institutions in the state of New York are scrambling to comply with cybersecurity regulations that are new to the industry and unprecedented in the state.

Released in early March of last year, Part 500 of Title 23 or Cybersecurity Requirements for Financial Services Companies (2017) is a 14-page document detailing how finance companies will be legally required to protect nonpublic information in their computer systems.

These regulations were implemented by the Department of Financial Services (DFS) citing security risks and the “ever-growing threat” of foreign nation-states, terrorist organizations and cybercriminals. The DFS Superintendent’s office will be overseeing compliance with the new laws aimed at safeguarding sensitive information that banks, credit unions, and mortgage companies keep on file.

As the zero hour approaches, here is a quick guide to the new DFS directives.

Cybersecurity Programs for All 

The main requirement is that all financial institutions under the regulation of the DFS are now required to create and implement a written cybersecurity program. 240_F_41316834_khRM1Linm358EZL0uiTOmQS2tyeankBN.jpg

With computer-based leaks making national headlines, New York’s banks will be held to a high standard.

The main issue of information leaks is “nonpublic information” or data gathered about customers and clients that is not meant for public knowledge. This includes business information, identifying information, account numbers, and even medical information.

A “cybersecurity event” is any action or attempt of unauthorized access to this information.

Security Measures

The new DFS regulations specifically call for annual penetration testing and bi-annual vulnerability checks of all information systems.

This includes extensive recordkeeping of system activity. Each financial institution must keep transaction records for a period of 5 years and an audit trail that records at least 3 years of activity.

The DFS further urges permissions control for all software applications.

Policy Requirements

This new cybersecurity program that every institution must implement is subject to oversight. The regulations require that all policies be recorded and approved by a senior officer or the company’s board of directors.

The guidelines state that any policies laid down must address an extensive list of 14 distinct topics ranging from data governance to disaster recovery planning.

Beyond stating the goals of these new measures, the law requires that companies designate a Chief Information Security Officer (CISO) for in-house enforcement.

This individual is required to report in writing annually about security to the company’s board and will be held responsible in the event of a breach at the agency.

Risk Assessment

Beyond coming up with a plan, the new regulations require action.

Financial institutions must run a complete risk assessment of their company. The assessment must be documented and it should include an evaluation of the adequacy of the existing access controls.

By law, this assessment must be carried out by qualified cybersecurity personnel. To avoid passing the buck, companies who hire out for the job must still exercise due diligence in evaluating the adequacy of the third party’s own security practices.

The law makes it clear that the financial institution itself will be held responsible for the integrity of their new program.

Other Regulations

There is a host of supplementary details in the document that outline currently-held security precautions across the information systems industry.

For example, multi-factor authentication for network access, a time limit on data retention, and regular cybersecurity awareness training for all personnel are all part of the regulation.

Encryption guidelines are spelled out and become subject to annual review by the CISO.


The final issue addressed by the new regulation involves communication with DFS. The superintendent’s office places a strict time cap on security breach announcements. A company has no more than 72 hours to report any event that has a “reasonable likelihood of materially harming the normal operations” of the company. 

Serious events like this have always fallen under reporting laws to local supervisory bodies. Under the new law, these events will be taken up the chain of command to the Superintendent’s office immediately.  

As of last year, New York is taking cybersecurity seriously. With such strict laws, it’s understandable that financial institutions have been slow to enact changes. After the year-long cushion, the new regulations are set to be enforced and financial institutions will be held responsible if they don’t comply.

14 pages of detailed requirements are on the books. As the transition year comes to an end, banks, mortgage companies, and credit unions are under the gun to make it happen.

Are you a CIO?

Has your institution taken the proper steps for system security?

For comprehensive compliance guidance and other cybersecurity solutions and, contact us.

Topics: DocumentGuardian cloud storage mortgage business mortgage regulations Compliance Audit Mortgage Lending DFS 23 NYCRR Part 500 NYSDFS

The Inevitable Mortgage Audit: Are You Prepared?

The Inevitable Mortgage Audit: Are You Prepared?

Anyone who has worked in the mortgage arena for any length of time knows that mortgage audits are inevitable. But even if you know that audits are a reality of the job, are you actually prepared?

Luckily, we're here to give you an idea about that—five ideas, in fact.

The Federal Financial Institutions Examination Council (FFIEC)

Working in the mortgage field, you are no doubt familiar with this group. The FFIEC has the power to develop and prescribe uniform principles and standards for examinations of financial institutions. The Council provides training for examiners at both the federal and state levels. It also provides guidance on compliance audits to the financial services industry through its member agencies.

Don't Reinvent the Wheel. Utilize Risk Assessment Models.

Several of the regulatory agencies with jurisdiction over financial institutions provide assessment models that can help with risk management. In addition, some industry organizations and commercial companies offer similar models. Just to name a few:

  • Consumer Financial Protection Bureau (CFPB) in its Supervision and Examination manual
  • Federal Reserve (the Fed) in its Community Bank Risk-Focused Consumer Compliance Supervision Program
  • Federal Deposit Insurance Corporation (FDIC), Comptroller of the Treasury (OCC) and National Credit Union Association

These organizations all publish guidance on risk assessment programs that will help you demonstrate your institution's risk as it is, not as the board wishes it would be.

In addition, offers a Mortgage Compliance Checklist Tool to help mortgage companies comply with the various lending regulation requirements.

Compliance Risk Assessment

Compliance examinations, these days, rely less on identifying non-compliant transactions and more on assessing risk and evaluating the financial institution's components that manage, mitigate, or prevent risk. Your financial institution's risk assessment should focus on its structure, policies, and procedures; how actively your board participates in oversight; and of course, your products and services.

Here are three basic questions your compliance risk assessment should answer:

  • First, identify your worst case scenario—not just now but in the future.
  • What controls does your institution have in place?
  • How well do your controls limit the impact of non-compliance?
  • How big is the gap between the worse case scenario and the controls you have in place? That gap is the risk that you want to reduce to as small a point as possible.

What Characteristics to Assess

The following are the characteristics that you want to identify with respect to:

  • Each of Your Institution's Products: Identify the volume and activity—whether it's a new product or an old one. Determine how complicated the product is and whether you intend to make changes or have recently made changes to the product.

  • Your Institution's Internal Operations: Identify how large your staff is, your turnover rates, whether the organization operates with centralized management or not, whether the staff and the organization's culture are compliance driven, and whether the organization has a robust internal monitoring system. Also review recent compliance risk assessment efforts.

  • Third-Party Service Providers: Identify compliance monitoring and due diligence efforts.

  • Each of Your Services: Identify any unfair, deceptive, abusive acts or practices as required by regulatory agencies.

  • Your Consumer Complaint Process: Identify response time and efficacy, and review the record-keeping policy with respect to complaints.

The Federal Compliance Laws for Financial Institutions

The American Bar Association provides its members with a list of the Federal laws that require financial institutions to comply with their rules and regulations and that cover mortgage audits. Just to remind you how regulated the mortgage industry truly is, here is a sampling:

  • Truth in Lending (Regulation Z) disclosure statements
  • Equal Credit Opportunity Act (Regulation B)
  • Fair Credit Reporting Act
  • Federal Reserve Board Regulation, Fair Credit Practices Rule
  • Fair Debt Collection Practices Act
  • ServiceMembers Civil Relief Act

To read an analysis of the accuracy of the CFPB's mortgage compliant data, see National Mortgage Professional Magazine's article from February 2017, entitled "Analysis: How Accurate is CFPB Mortgage Complaint Data?"

To learn more about compliance for mortgage companies, please contact us. We are your resource for all your mortgage company audit compliance questions.

Topics: Compliance Consumer Finance Protection Bureau Compliance for Mortgage Companies Compliance Audit