50 Shades of Pain – Cybersecurity Regulation for Mortgage Companies has Arrived! 26 th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High • Ray Hutchins Mitch Tanenbaum • Managing Partner, CyberCecurity Partner, CyberCecurity
Gramm Leach Bliley Act (GLBA) --1999 Massachusetts 201 CMR 1700 – 2010 California 1798.81.5 – 2015 Consumer Financial Protection Bureau-- 2010 New York DFS 500—2017 What’s Next?
FTC-one of 8 federal regulatory agencies with authority to enforce financial privacy law State Insurance Authorities Federal Banking Agencies SEC Commodity Futures Trading Commission
2006-FTC vs. Premier Capital Lending and Debra Stiles 2006-FTC vs Nations Title Agency and Christopher Likens 2007-FTC vs. United Mortgage Company 2009-FTC vs. James B. Nutter & Company
This regulation was first proposed when Ben Lawsky was the DFS superintendent He socialized it with regulators in all 50 states, plus national regulators He asked for feedback and likely got it
Who Does This Regulation Affect?
At the first tier, it affects all financial institutions licensed to do business in New York, such as banks, mortgage originators and registered investment advisors But, there is more impact
At the next level, it impacts all vendors of licensed entities who have access to the licensee’s data
At the next level, it impacts all vendors of licensed entities who have access to the licensee’s data
Who does this include? • Colorado mortgage lenders will get a bit of a free ride as all of the big outsource providers will get in line with the New York requirements • The size of this group is likely ten times as big as the group of lenders directly affected
When does it go into effect? March 1, 2017
When do all companies have to be compliant? • Some parts require compliance on 9/1/17 • Other parts require compliance on 3/1/18, 9/1/18 or 3/1/19
What does compliance mean?
By February 15 of every year the Board or a Senior officer must personally sign a statement that says: • 1. Such person has reviewed reports, certifications and opinions as needed • 2. Sign a document that says that, to the best of that officer’s knowledge, the company is in full compliance with Part 500 No room for an asterisk on the form
What are the consequences?
The regulation will be enforced by the superintendent, pursuant to the superintendent’s authority under any law. Meaning fines and the potential to lose the license to operate in the state
Who Is Exempted?
Section 19 says: Limited exemption for covered entities with: • Fewer than 10 employees including contractors • Less than $5 Mil in gross annual revenue in each of the last 3 fiscal years • Less than $10 Mil in year-end total assets, according to GAAP, including all affiliates • Still have to comply with some parts of the reg
Now that we have handled the logistics, what are the requirements?
September 2017 Requirements To be implemented by September 1, 2017 Section 00 – Introduction Section 01 – Definitions Section 02 – Written cyber security program similar to GLBA requirements except tailored to New York regulation
September 2017 Requirements To be implemented by September 1, 2017 Section 03 – Cyber security policies – 14 very specific policies are required Section 04 – Qualified person in charge of the program – again similar to GLBA
September 2017 Requirements To be implemented by September 1, 2017 Section 07 – Access controls – limit access to NPI data based on need to know Section 10 – Qualified cyber security personnel and Intelligence Section 16 – Written incident response (IR) plan including processes, roles and responsibilities
September 2017 Requirements To be implemented by September 1, 2017 Section 17 – Notices to superintendent • Within 72 hours of any event that requires notification to anyone else or has reasonable likelihood of material harm
March 2018 Requirements To be implemented by March 1, 2018 Section 04(b) – Annual report to the company’s Board, in writing, of the state of the company’s information security program and material cyber security risks
March 2018 Requirements To be implemented by March 1, 2018 Section 05 – Penetration testing and vulnerability assessments – • ANNUAL penetration testing • BI-ANNUAL vulnerability assessments Section 09 – Periodic Risk assessment • Annual is a reasonable period
March 2018 Requirements To be implemented by March 1, 2018 Section 12 – Multi factor authentication • Based on risk assessment • Required for any remote access CISO can substitute reasonably equivalent or more secure controls, if documented in writing
March 2018 Requirements To be implemented by March 1, 2018 Section 14 – Regular cyber security training for all personnel • Regular means recurring • Training updated to reflect risk assessment
March 2018 Requirements To be implemented by March 1, 2018 Section 17(b) – Annual written, signed certification of compliance by CoB or CEO • Must document why you think the company is compliant • Must keep this documentation for DFS examination for five years • Must document
September 2018 Requirements To be implemented by September 1, 2018 Section 06 – Audit Trails • Sufficient to reconstruct material financial transactions • Designed to detect and respond to cyber security events • Keep audit trail records for at least five years
September 2018 Requirements To be implemented by September 1, 2018 Section 08 – Application security • Written SDLC program for internal software and security testing for external software Section 13 – Limitations on data retention • Secure disposal of unneeded NPI data
September 2018 Requirements To be implemented by September 1, 2018 Section 14(2) – Monitoring • Detect authorized users doing unauthorized actions Section 15 – Encryption of data in motion AND AT REST • Wherever it lives • If infeasible, implement compensating controls
September 2018 Requirements To be implemented by March 1, 2019 Section 11 – Third party service provider security policy • To ensure the security of systems and NPI held or accessed by third parties
Gramm Leach Bliley Act (GLBA) --1999 Massachusetts 201 CMR 1700 – 2010 California 1798.81.5 – 2015 Consumer Financial Protection Bureau- -2010 New York DFS 500—2017 What’s Next?
What’s Next? Benjamin Lawsky - former New York State Department of Financial Services ( NYDFS ) Superintendent Dieter Raemdonck, Associate– Lewis Roca Rothgerber Christie - Lobbyist CMLA Julie Waggener, Partner - Hoffman Crews Nies Waggener & Foster LLP – CO Real Estate Commission Marsha Waters, DORA Director of Division of Real Estate Pat Zenzola -lobbyist California Mortgage Banking Association (Multi-state lenders keep ear to the ground)
Trump = No New Regulations?
Treasury Secretary Steven Mnuchin said on Nov. 2, 2016 that because the safety of the financial system is critical, he has made cybersecurity his top technology priority. He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.
New Cybersecurity Initiative Advanced Notice of Proposed Rulemaking (APNR) Joint rulemaking by Fed Reserve Board, Office of Comptroller of Currency, and FDIC Financial entities with $50b assets Purpose to establish standards making the largest institutions and the U.S. financial system itself more operationally resilient to cyber attack Includes 3 rd party servicers Comment period over on Jan. 17, 2017
Tuesday-Homeland Security Secretary John Kelly gave 1 st speech Described cyber threats as “relentless” and called cyber criminals and adversarial nation states “thieves, vandals, saboteurs, enemies of democracy and potentially so much more.’
No insight into when Donald Trump would issue long- postponed executive order on cybersecurity. Kelly said he is standing by…awaiting it with “baited breath.”
How long can you afford to wait? Besides your company’s reputation, what is the risk? Is there a price to be paid? Or is the best strategy to ignore the regulators?
On April 12 th , OCR signed $400k resolution agreement and corrective action plan with Metro Community Provider Network to settle non-compliance issue with respect to 2012 breach. Prior to breach MCPN had not conducted a risk assessment.
Contact Us
One Last Thought Huge shortage of cybersecurity professionals Much bigger shortage of another category of professionals
Questions ?
Contact Us Ray Hutchins Mitch Tanenbaum 303-887-5864 720-891-1663 rh@cybercecurity.com mitch@cybercecurity.com To get our free weekly cyber security email newsletter, please send an email to Mitch@CyberCecurity.com
Recommend
More recommend