In The News

New York State Department of Financial Services Requires New Strict Cybersecurity for  Mortgage Companies

ABT LOGO (no background)-2.pngbar.pngPRESS RELEASE


FOR IMMEDIATE RELEASE                                                                                                      Contact: Taylor Scilufo
January 1, 2018                                                                                                                               Marketing Manager                                                                                                                                                                        (888) 422-3400

FOLSOM, Calif. – Access Business Technologies Offers Compliant Cybersecurity for Mortgage Industry

The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York Consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. The new requirements are forcing companies in the financial industry to look at improving current cybersecurity strategies.

The biggest change to the already strict regulations is the new requirement of multi-factor authentication; which can be viewed in depth under item 500.12. Access Business Technologies (ABT) has been offering multi-factor authentication (MFA) and cybersecurity services to the mortgage industry for over eighteen years. MFA is designed to promote the protection of customer information as well as the information technology systems of regulated entities. Under the new regulations each company will be required to assess its specific risk profile and design a program that addresses its risks in a robust fashion. ABT offers the compliant technology that financial businesses will need; effective March 1,2018. 

Below are the some highlighted items from the new requirements:

  • 500.04 (b) CISO Begins Reporting to Board of Directors. The Chief Information Security Officer is required to report, in writing, to the Board of Directors, or equivalent governing body, at least once a year. This report includes the status and effectiveness of the Cybersecurity Program as well as any material Cybersecurity Risks. 
  • 500.05 Begin Annual Penetration Testing and Vulnerability Assessments. In accordance with your Cybersecurity Risk Assessment, institutions must perform continuous monitoring, annual penetration tests and bi-annual vulnerability assessments to assess the effectiveness of your Cybersecurity Program.
  • 500.09 Commencement of Period Risk Assessments. Periodic Risk assessments should be conducted to continually address changes to your Information Systems, business operations and nonpublic information. This activity should be carried out in accordance with your written Risk Assessment policies and procedures.
  • 500.12 Implement Multi-Factor Authentication. Each institution is required to use effective Cybersecurity Controls, which may include Multi-Factor Authentication or Risk-based Authentication. This helps protect against unauthorized access to Nonpublic Information and Information Systems. This is required for any individual accessing the Institution's internal network from an external network.
  • 500.14(b) Provide Regular Cybersecurity Awareness and Training for all Personnel. Provide regular Cybersecurity Awareness Training for all personnel that is updated to reflect risks identified by the Risk Assessment. 

Key Dates Under New York's Cybersecurity Regulation

  • March 1, 2017 - 23 NYCRR Part 500 becomes effective.
  • August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

HERE is a link to the legal mandate. 

It is critical for all regulated institutions that have not yet done so to move urgently to adopt a cybersecurity program. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.

To learn more about how to become compliant from an expert in cybersecurity click here.


Access Business Technologies (ABT), headquartered in Northern California, was founded in 1999 as a leading provider of hosted, on-demand software for mortgage loan origination, servicing and pipeline management. We provide access to business technologies that empower mortgage professionals to safely perform at the top of their game. ABT proactively supports, defends, and manages game-changing technologies and processes that help mortgage professionals excel.

We are a certified SSAE 16 Type II cloud solution provider to over 500 mortgage financial institutions. We are partnered with nearly a dozen leading mortgage software vendors. These partnerships enable us to provide your workforce with the tools to safely produce more loans, anywhere and anytime. For more information, contact:


Parts of this article were taken directly from 23 NYCRR 500. 


PrWeb Official Release: 

Topics: Mortgage Software Managed Hosting ABT Cloud Mortgage Servicing ABT's Hosted Mortgage Servicing cybersecurity security mortgage regulations DFS 23 NYCRR Part 500 NYSDFS