50 shades of pain cybersecurity regulation for mortgage
play

50 Shades of Pain Cybersecurity Regulation for Mortgage Companies - PowerPoint PPT Presentation

50 Shades of Pain Cybersecurity Regulation for Mortgage Companies has Arrived! 26 th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High Ray Hutchins Mitch Tanenbaum Managing


  1. 50 Shades of Pain – Cybersecurity Regulation for Mortgage Companies has Arrived! 26 th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High • Ray Hutchins Mitch Tanenbaum • Managing Partner, CyberCecurity Partner, CyberCecurity

  2.  Gramm Leach Bliley Act (GLBA) --1999  Massachusetts 201 CMR 1700 – 2010  California 1798.81.5 – 2015  Consumer Financial Protection Bureau-- 2010  New York DFS 500—2017 What’s Next?

  3.  FTC-one of 8 federal regulatory agencies with authority to enforce financial privacy law  State Insurance Authorities  Federal Banking Agencies  SEC  Commodity Futures Trading Commission

  4.  2006-FTC vs. Premier Capital Lending and Debra Stiles  2006-FTC vs Nations Title Agency and Christopher Likens  2007-FTC vs. United Mortgage Company  2009-FTC vs. James B. Nutter & Company

  5.  This regulation was first proposed when Ben Lawsky was the DFS superintendent  He socialized it with regulators in all 50 states, plus national regulators  He asked for feedback and likely got it

  6.  Who Does This Regulation Affect?

  7.  At the first tier, it affects all financial institutions licensed to do business in New York, such as banks, mortgage originators and registered investment advisors  But, there is more impact

  8.  At the next level, it impacts all vendors of licensed entities who have access to the licensee’s data

  9.  At the next level, it impacts all vendors of licensed entities who have access to the licensee’s data

  10.  Who does this include? • Colorado mortgage lenders will get a bit of a free ride as all of the big outsource providers will get in line with the New York requirements • The size of this group is likely ten times as big as the group of lenders directly affected

  11.  When does it go into effect?  March 1, 2017

  12.  When do all companies have to be compliant? • Some parts require compliance on 9/1/17 • Other parts require compliance on 3/1/18, 9/1/18 or 3/1/19

  13.  What does compliance mean?

  14.  By February 15 of every year the Board or a Senior officer must personally sign a statement that says: • 1. Such person has reviewed reports, certifications and opinions as needed • 2. Sign a document that says that, to the best of that officer’s knowledge, the company is in full compliance with Part 500  No room for an asterisk on the form

  15.  What are the consequences?

  16.  The regulation will be enforced by the superintendent, pursuant to the superintendent’s authority under any law.  Meaning fines and the potential to lose the license to operate in the state

  17.  Who Is Exempted?

  18.  Section 19 says:  Limited exemption for covered entities with: • Fewer than 10 employees including contractors • Less than $5 Mil in gross annual revenue in each of the last 3 fiscal years • Less than $10 Mil in year-end total assets, according to GAAP, including all affiliates • Still have to comply with some parts of the reg

  19.  Now that we have handled the logistics, what are the requirements?

  20. September 2017 Requirements  To be implemented by September 1, 2017  Section 00 – Introduction  Section 01 – Definitions  Section 02 – Written cyber security program similar to GLBA requirements except tailored to New York regulation

  21. September 2017 Requirements  To be implemented by September 1, 2017  Section 03 – Cyber security policies – 14 very specific policies are required  Section 04 – Qualified person in charge of the program – again similar to GLBA

  22. September 2017 Requirements  To be implemented by September 1, 2017  Section 07 – Access controls – limit access to NPI data based on need to know  Section 10 – Qualified cyber security personnel and Intelligence  Section 16 – Written incident response (IR) plan including processes, roles and responsibilities

  23. September 2017 Requirements  To be implemented by September 1, 2017  Section 17 – Notices to superintendent • Within 72 hours of any event that requires notification to anyone else or has reasonable likelihood of material harm

  24. March 2018 Requirements  To be implemented by March 1, 2018  Section 04(b) – Annual report to the company’s Board, in writing, of the state of the company’s information security program and material cyber security risks

  25. March 2018 Requirements  To be implemented by March 1, 2018  Section 05 – Penetration testing and vulnerability assessments – • ANNUAL penetration testing • BI-ANNUAL vulnerability assessments  Section 09 – Periodic Risk assessment • Annual is a reasonable period

  26. March 2018 Requirements  To be implemented by March 1, 2018  Section 12 – Multi factor authentication • Based on risk assessment • Required for any remote access  CISO can substitute reasonably equivalent or more secure controls, if documented in writing

  27. March 2018 Requirements  To be implemented by March 1, 2018  Section 14 – Regular cyber security training for all personnel • Regular means recurring • Training updated to reflect risk assessment

  28. March 2018 Requirements  To be implemented by March 1, 2018  Section 17(b) – Annual written, signed certification of compliance by CoB or CEO • Must document why you think the company is compliant • Must keep this documentation for DFS examination for five years • Must document

  29. September 2018 Requirements  To be implemented by September 1, 2018  Section 06 – Audit Trails • Sufficient to reconstruct material financial transactions • Designed to detect and respond to cyber security events • Keep audit trail records for at least five years

  30. September 2018 Requirements  To be implemented by September 1, 2018  Section 08 – Application security • Written SDLC program for internal software and security testing for external software  Section 13 – Limitations on data retention • Secure disposal of unneeded NPI data

  31. September 2018 Requirements  To be implemented by September 1, 2018  Section 14(2) – Monitoring • Detect authorized users doing unauthorized actions  Section 15 – Encryption of data in motion AND AT REST • Wherever it lives • If infeasible, implement compensating controls

  32. September 2018 Requirements  To be implemented by March 1, 2019  Section 11 – Third party service provider security policy • To ensure the security of systems and NPI held or accessed by third parties

  33.  Gramm Leach Bliley Act (GLBA) --1999  Massachusetts 201 CMR 1700 – 2010  California 1798.81.5 – 2015  Consumer Financial Protection Bureau- -2010  New York DFS 500—2017 What’s Next?

  34. What’s Next?  Benjamin Lawsky - former New York State Department of Financial Services ( NYDFS ) Superintendent  Dieter Raemdonck, Associate– Lewis Roca Rothgerber Christie - Lobbyist CMLA  Julie Waggener, Partner - Hoffman Crews Nies Waggener & Foster LLP – CO Real Estate Commission  Marsha Waters, DORA Director of Division of Real Estate  Pat Zenzola -lobbyist California Mortgage Banking Association (Multi-state lenders keep ear to the ground)

  35. Trump = No New Regulations?

  36. Treasury Secretary Steven Mnuchin said on Nov. 2, 2016 that because the safety of the financial system is critical, he has made cybersecurity his top technology priority. He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.

  37. New Cybersecurity Initiative  Advanced Notice of Proposed Rulemaking (APNR)  Joint rulemaking by Fed Reserve Board, Office of Comptroller of Currency, and FDIC  Financial entities with $50b assets  Purpose to establish standards making the largest institutions and the U.S. financial system itself more operationally resilient to cyber attack  Includes 3 rd party servicers  Comment period over on Jan. 17, 2017

  38. Tuesday-Homeland Security Secretary John Kelly gave 1 st speech Described cyber threats as “relentless” and called cyber criminals and adversarial nation states “thieves, vandals, saboteurs, enemies of democracy and potentially so much more.’

  39. No insight into when Donald Trump would issue long- postponed executive order on cybersecurity. Kelly said he is standing by…awaiting it with “baited breath.”

  40. How long can you afford to wait? Besides your company’s reputation, what is the risk? Is there a price to be paid? Or is the best strategy to ignore the regulators?

  41. On April 12 th , OCR signed $400k resolution agreement and corrective action plan with Metro Community Provider Network to settle non-compliance issue with respect to 2012 breach. Prior to breach MCPN had not conducted a risk assessment.

  42. Contact Us

  43. One Last Thought  Huge shortage of cybersecurity professionals  Much bigger shortage of another category of professionals

  44. Questions  ?

  45. Contact Us Ray Hutchins Mitch Tanenbaum 303-887-5864 720-891-1663 rh@cybercecurity.com mitch@cybercecurity.com  To get our free weekly cyber security email newsletter, please send an email to Mitch@CyberCecurity.com

Recommend


More recommend