Mortgage Software Solutions Blog

Know Your Cyber Security Reporting Obligations

Know Your Cyber Security Reporting Obligations

New laws dictate how finance companies report security issues.

New York’s recent crackdown in state cybersecurity laws marks true reformation in the finance industry.

14 pages of detailed regulations fully outline the new accountability measures at Wall Street’s epicenter.

The regulations compel close to 10,000 financial institutions and 300,000 insurance licensees to put consumer protection before their corporate reputation for the first time in US history.

From a minor system access attempt by hackers all the way up to a full data breach, the new law saddles financial institutes with direct accountability to the state and implements a new standard in reporting for all mortgage loan servicers, banks, credit unions, and insurance companies.

For finance companies wondering how to conduct business in this new reality, here is a guide to the reporting obligations of New York’s new cybersecurity law

Governing Bodies

The first step of understanding the new obligations is to get familiar with the regulatory bodies of New York’s finance world.

The main authority on the new regulation is the New York State Department of Financial Services (DFS).

In the past, financial institutions were regulated via voluntary frameworks and reported externally to DFS in few situations with undefined parameters.

Under the new law, DFS established immediate authority by requiring a DFS-issued cyber security Certificate of Compliance as a basic prerequisite for operating a financial company. This gives DFS the ability to discipline non-compliant companies by revoking their certificate.

Beyond DFS, the regulation stipulates the creation of internal positions for officers to interface with DFS on behalf of the company. This requirement pushes aside ineffective industry-based governing bodies in favor of a direct link.

Mortgage companies must designate a Chief Information Security Officer (CISO) for in-house enforcement of company security procedures. The CISO reports in writing annually to the company’s board and will be held personally, legally responsible in the event of a breach at the agency.

Reporting Obligations

The final piece of accountability addressed in the new law is a reexamination of security reporting.

A “cybersecurity event” is any attempt of unauthorized access private consumer information. In order to mitigate the effects of a security event, financial institutions need to disclose data loss when it happens. This gives consumers sufficient time to take protective action such as changing passwords or putting a hold on a compromised credit card.

In practice though, finance companies endeavor keep data hacks under wraps. They prefer to save face and avoid losing consumer confidence.

In September of 2017, the Equifax data breach made international headlines. Though not the largest, it is considered the worst data breach in US history due to the sensitive nature of personal data that was accessed.

Despite being aware of the situation, Equifax spent five weeks running corporate damage control before disclosing the leak. The company initially underreported the number of affected consumers as 2.5 million instead of the actual 145.5 million people whose private data was stolen.

This failure to disclose the full extent of the damage infuriated the public.

Lawmakers vowed to protect consumers against this type of cover-up. With Sen. Elizabeth Warren (D-Mass.) at the helm, this is how the new regulations were written into law.

No More Cover-Ups

Now, the superintendent’s office places a strict time cap on security breach announcements. A company has no more than 72 hours to report any event that has a “reasonable likelihood of materially harming the normal operations” of the company. 

Since Equifax’s disregard for public safety, the law now stipulates that a data breach report is no longer the jurisdiction of the local supervisory body. Instead, reports of data loss go up the chain of command straight to the New York Superintendent’s office.

With a quicker turnaround time, consumers can be alerted quickly and efficiently through official channels about the breach.

Though basic requirements of the law have already gone into effect, the state of New York did allow time for mortgage companies to learn the law and implement it piece by piece.

According to the roll-out dates of the law, companies are required to be legally compliant with specific sections of the law on March 1 and September 3, 2018. The end of the full two-year transitional period and full compliance will be enforced by March 1, 2019.

For comprehensive compliance guidance and other cybersecurity solutions and, contact us.

Image: Visual Hunt

Topics: cyber security mobile security mobile device security email security cybersecurity security mortgage industry Trump Administration Housing Market Mortgage Lending 23 NYCRR Part 500 NYSDFS

Business Data Security and Multi-Factor Authentication

 240_F_122590781_AfHycyjOI0sOqepiZ1DQVBYkZsH7qlRr.jpg Get an extra level of security with multi-factor authentication or MFA.

Each year, cybersecurity gets more complicated.

According to anti-virus developer Panda Security, the amount of malware created by cybercriminals is predicted to grow exponentially with each passing year.

Companies have to face the reality that a security breach has a serious impact on business.

To avoid the distress of company-wide damage control and a PR nightmare, it’s best to make sure security is in good shape.

Real Business Impact

For some businesses, consumer data handling is the main issue.

Financial institutions such as banks and mortgage companies are often targeted by hackers because they house the most personal information.

With major security failures like the Equifax breach of 2017 making international news, the finance industry’s cybersecurity worries are real.

More is at stake than information. A data breach can mean sales losses and a tarnished reputation that lasts for years.

From fines to fraud, there are monetary repercussions as well.

So what is the fastest way to tighten security on cloud-based and traditional networks?

Multi-Factor Authentication

Data breaches in single-factor authentication systems often exploit the system login credentials or passwords of users.

Multi-factor authentication or MFA is a group of security measures that go beyond the traditional password in order to correctly identify a person for system access.

MFA is becoming more prevalent in the financial industry. This kind of authentication was adopted by the Payment Card Industry Data Security Standard (PSI DSS) in February of 2017 and was listed as a standard for the mortgage industry in the State of New York in the same year.

Multiple factors mean heightened levels of information that only the user can provide.

These factors can be a number of different security measures. A “soft token” is when security software generates a one-time-use passcode sent to the user’s mobile device. This type of authentication can also be executed with a text message, phone call, or an email with a hyperlink.

Other factors run the gamut from predefined security questions to biometric identifiers like fingerprints or facial recognition software.

Only the correct user knows the information or is in the circumstance to receive the passcode, so using MFA means only the approved user is given access.

The Modern Office

Another issue with security is the modern office environment.

There are a growing number of remote workers. Employees want access to work-related applications from outside the office.

In this mobile workforce, employees are moving off of network-approved computers and onto personal or public machines. It’s up to the IT department to facilitate their work and make sure they go through a heightened level of security checks.

MFA is an authentication strategy that allows IT to deliver this level of remote access. It solves the problem of identifying recognized employees while maintaining a solid defense against intruders.

User Experience

The final consideration when implementing cybersecurity measures is user experience.

With higher scrutiny comes a higher level of annoyance by the employee at having to prove their authorization.

IT staffers need to balance security measures with user convenience.

One development that improves this balance is “adaptive” MFA. This security technology evaluates the risk factor of the user and then adapts the number of factors required for entry to the system.

An employee using a company-issued laptop at a café with an IP address across the street from headquarters is considered a low-risk access attempt. This situation does not require extra security measures.

On the other hand, if someone is trying to gain access on an unrecognized device in a location where the company doesn’t have an office (e.g. employee is attempting to do work on her tablet while vacationing in Bali) then the number of factors required will be at the maximum level. The employee jumps through some hoops, but with an understanding of why.

Conclusion

Data breaches are happening at the enterprise level at an alarming rate. A watchdog organization called Breach Level Index estimates that every second, an average of 57 records are stolen.

Employees are moving towards a more mobile work environment with wide geographic distribution.

For companies who handle consumer data, implementing MFA is simply one of the most effective ways to crack down on security violations and keep up with the modern workplace.

Businesses that use the MortgageWorkspace management software by ABT are protected by multi-factor authentication and a host of other cybersecurity measures. Contact us to learn more.

Topics: social networking safety phishing multi-factor authentication cloud storage mortgage business Compliance for Mortgage Companies Compliance Audit cloud-based data Housing Market Mortgage Lending

Trump Administration’s Long- and Short-term Impacts on Housing Market

 

Trump Administration’s Long- and Short-term Impacts on Housing Market

The Long- and Short-term Impacts of Trump’s Housing Market Policies

Each time a new administration comes into office--whether the same political party or not--there will always be changes. Political leaders are not elected because they support the status quo, but generally because they want to shake things up. Their policy changes can often shift an entire economic sector, such as the housing market. President Trump’s new policies are already changing the borrowing and lending of mortgage funds.

As with political processes and policymaking in any country, some people will benefit and some will lose. There will never exist a one-size-fits-all policy. Here is what U.S. residents can expect going forward with Trump administration's changes/policies regarding housing.

Upholding the FHA's Annual Mortgage Insurance Premium

Lowering the mortgage insurance premiums is part of what Obama had been focusing on toward the end of his administration. Some low-income citizens, looking to purchase a home, were hoping to benefit from the enactment of that policy. However, the Trump administration has decided to suspend the mortgage premium fee reduction. What does this mean?

Short-term impact

  • When the Obama administration announced its plan to decrease the annual mortgage rate in early January, many lower-income individuals signed up, which caused a spike in FHA applications. With the premiums no longer being offered at a lower rate, many of these requests will either be withdrawn or rejected.
  • There will be fewer new FHA order applications as well as fewer FHA refinance applications.
  • The fee reduction, for FHA-backed loans, would have cut 0.25 percentage points of the total amount borrowed. Savings for Americans with a $100,00 mortgage would have been about $250, and for a $200,000 mortgage it would have equated to about $500 in savings each year. With the suspension of this fee cut, new homeowners will have to find other ways to save.

Long-term impact

  • The overall cost of owning a home will increase.
  • After a pullback of the housing market rates during Obama’s presidential terms, mortgage rates are expected to rise.
  • Affordability for low- to mid-income individuals and couples will decrease over time as the housing costs rise alongside housing demand.
  • Suspension of the rate cut of the FHA is indefinite, which may eventually help the FHA due to higher premiums and higher demand for housing.

Controlling the Consumer Financial Protection Bureau (CFPB)

Reformation of Wall Street practices is part of the reason the Consumer Financial Protection Bureau was created. The aspect of independence of this agency begs many ongoing questions. With the CFPB under the control of the new administration, its agenda will be determined by the decisions of current policy makers.

Short-term impact

  • Currently, there are claims that the body is unconstitutional. Even so, the president exercises control over the agency. The CFPB will not be used in the same way it was during the Obama administration, and as such, it may not act as an independent regulatory body.

Long-term impact

  • The issue of legality of the CFPB remains a court case at the moment, even as Trump's administration exercises power to control the housing sector through this body.
Home ownership has long been a part of the American Dream. While some critics believe Trump’s changes to housing will only make this dream more challenging for some, there are others who believe this cut will benefit taxpayers in the long run, especially if the country experiences another housing market crash as it did in 2008. Trump’s order to suspend the fee reduction will not affect current mortgage holders from making their existing payments, but it might prevent some people from taking the leap into home ownership. It’s important to note that even with a new administration and different policies put in place, there are other factors that affect the markets. For housing, this will always be tied strongly to supply and demand, home interest rates, and inflation.
Topics: FHA Trump Administration Housing Market Mortgage Lending