With the widely publicized hacks of computer systems
at (among others) Target, Sony and the U.S. Central Command (the latter
occurring while President Obama was giving a speech describing his new
cybersecurity initiatives) data security is sounding increasingly like a
contradiction in terms. (See related article.)
But for financial institutions and their vendors, few
compliance concerns loom larger than their obligation to protect the personal
information and funds of their clients and customers.
The risks of data breaches are large and increasing,
and the costs are high, measured not just in the penalties imposed for security
failures, but in the reputation damage, loss of confidence and loss of business
resulting from them.
In one recent example, the Massachusetts Attorney
General slammed TD Bank
with an $825,000 penalty for failing to properly safeguard consumer data and
failing to report a breach immediately, as state law requires. The bank’s computers weren’t hacked; a third
party delivery service lost two unencrypted computer tapes it was transporting
from one location to another.
Two phrases should be flashing neon in in your
brain: “encryption” and “third party.”
Both are essential components of a data security play. Sensitive data
transmitted by any means must be encrypted, and financial entities are
responsible for the data security lapses of the third party vendors they
employ.
If you’re not encrypting electronic communications
containing personal information, you should be.
(You can find helpful resources in the “Trusted Partners” section of the
WFGAgent
Web site.) And if your financial
institution clients haven’t quizzed you yet about your data security policies
and other compliance measures, they will begin to do so – intensely and soon. If TD Bank wasn’t vetting its vendors before
paying that $825,000 penalty, you can bet they’re vetting them now.
Title insurance agencies and settlement services
providers need to vet their vendors as well.
If a messenger service you employ had lost unencrypted tapes containing
closing-related information, your lender client would have held you responsible
for the beach.
Regulators clearly
are focusing on data security issues.
The New York State Department of Financial Services recently asked many
large national banks to provide information about the cybersecurity measures of
their third party service providers, including “any due diligence processes
used to evaluate [them].” The department is reportedly considering new
cybersecurity regulations targeting third party service providers. Some federal regulators may be moving in that
direction, as well. In a speech last
July, Jacob Lew, Undersecretary of the Treasury, urged financial institutions
to evaluate the cybersecurity measures of their vendors, noting that they
“should and could be doing more.”
Data security isn’t a one-way street. While lenders have good reason to be
concerned about the quality data security at their vendors, title insurance
agents should be equally concerned about security at the institutions holding
their escrow accounts. A painful case in
point: Efficient Services Escrow Group,
a California-based company, failed after hackers drained nearly $2 million from
the firm’s bank account through fraudulent wire transfers. When Efficient
couldn’t replace the lost funds, state regulators shut the company down.
Cyber-security risks are real, they are multi-faceted,
and title agents need to understand and deal effectively with them. What you don’t know and fail to do in this
area can hurt you and your clients. □