50 shades of pain cybersecurity regulation for mortgage
play

50 Shades of Pain Cybersecurity Regulation for Mortgage Companies - PowerPoint PPT Presentation

Oct 02, 2023 •441 likes •929 views

50 Shades of Pain Cybersecurity Regulation for Mortgage Companies has Arrived! 26 th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High Ray Hutchins Mitch Tanenbaum Managing

  1. 50 Shades of Pain – Cybersecurity Regulation for Mortgage Companies has Arrived! 26 th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High • Ray Hutchins Mitch Tanenbaum • Managing Partner, CyberCecurity Partner, CyberCecurity

  2.  Gramm Leach Bliley Act (GLBA) --1999  Massachusetts 201 CMR 1700 – 2010  California 1798.81.5 – 2015  Consumer Financial Protection Bureau-- 2010  New York DFS 500—2017 What’s Next?

  3.  FTC-one of 8 federal regulatory agencies with authority to enforce financial privacy law  State Insurance Authorities  Federal Banking Agencies  SEC  Commodity Futures Trading Commission

  4.  2006-FTC vs. Premier Capital Lending and Debra Stiles  2006-FTC vs Nations Title Agency and Christopher Likens  2007-FTC vs. United Mortgage Company  2009-FTC vs. James B. Nutter & Company

  6.  This regulation was first proposed when Ben Lawsky was the DFS superintendent  He socialized it with regulators in all 50 states, plus national regulators  He asked for feedback and likely got it

  7.  Who Does This Regulation Affect?

  8.  At the first tier, it affects all financial institutions licensed to do business in New York, such as banks, mortgage originators and registered investment advisors  But, there is more impact

  9.  At the next level, it impacts all vendors of licensed entities who have access to the licensee’s data

  10.  At the next level, it impacts all vendors of licensed entities who have access to the licensee’s data

  11.  Who does this include? • Colorado mortgage lenders will get a bit of a free ride as all of the big outsource providers will get in line with the New York requirements • The size of this group is likely ten times as big as the group of lenders directly affected

  12.  When does it go into effect?  March 1, 2017

  13.  When do all companies have to be compliant? • Some parts require compliance on 9/1/17 • Other parts require compliance on 3/1/18, 9/1/18 or 3/1/19

  14.  What does compliance mean?

  15.  By February 15 of every year the Board or a Senior officer must personally sign a statement that says: • 1. Such person has reviewed reports, certifications and opinions as needed • 2. Sign a document that says that, to the best of that officer’s knowledge, the company is in full compliance with Part 500  No room for an asterisk on the form

  16.  What are the consequences?

  17.  The regulation will be enforced by the superintendent, pursuant to the superintendent’s authority under any law.  Meaning fines and the potential to lose the license to operate in the state

  18.  Who Is Exempted?

  19.  Section 19 says:  Limited exemption for covered entities with: • Fewer than 10 employees including contractors • Less than $5 Mil in gross annual revenue in each of the last 3 fiscal years • Less than $10 Mil in year-end total assets, according to GAAP, including all affiliates • Still have to comply with some parts of the reg

  20.  Now that we have handled the logistics, what are the requirements?

  21. September 2017 Requirements  To be implemented by September 1, 2017  Section 00 – Introduction  Section 01 – Definitions  Section 02 – Written cyber security program similar to GLBA requirements except tailored to New York regulation

  22. September 2017 Requirements  To be implemented by September 1, 2017  Section 03 – Cyber security policies – 14 very specific policies are required  Section 04 – Qualified person in charge of the program – again similar to GLBA

  23. September 2017 Requirements  To be implemented by September 1, 2017  Section 07 – Access controls – limit access to NPI data based on need to know  Section 10 – Qualified cyber security personnel and Intelligence  Section 16 – Written incident response (IR) plan including processes, roles and responsibilities

  24. September 2017 Requirements  To be implemented by September 1, 2017  Section 17 – Notices to superintendent • Within 72 hours of any event that requires notification to anyone else or has reasonable likelihood of material harm

  25. March 2018 Requirements  To be implemented by March 1, 2018  Section 04(b) – Annual report to the company’s Board, in writing, of the state of the company’s information security program and material cyber security risks

  26. March 2018 Requirements  To be implemented by March 1, 2018  Section 05 – Penetration testing and vulnerability assessments – • ANNUAL penetration testing • BI-ANNUAL vulnerability assessments  Section 09 – Periodic Risk assessment • Annual is a reasonable period

  27. March 2018 Requirements  To be implemented by March 1, 2018  Section 12 – Multi factor authentication • Based on risk assessment • Required for any remote access  CISO can substitute reasonably equivalent or more secure controls, if documented in writing

  28. March 2018 Requirements  To be implemented by March 1, 2018  Section 14 – Regular cyber security training for all personnel • Regular means recurring • Training updated to reflect risk assessment

  29. March 2018 Requirements  To be implemented by March 1, 2018  Section 17(b) – Annual written, signed certification of compliance by CoB or CEO • Must document why you think the company is compliant • Must keep this documentation for DFS examination for five years • Must document

  30. September 2018 Requirements  To be implemented by September 1, 2018  Section 06 – Audit Trails • Sufficient to reconstruct material financial transactions • Designed to detect and respond to cyber security events • Keep audit trail records for at least five years

  31. September 2018 Requirements  To be implemented by September 1, 2018  Section 08 – Application security • Written SDLC program for internal software and security testing for external software  Section 13 – Limitations on data retention • Secure disposal of unneeded NPI data

  32. September 2018 Requirements  To be implemented by September 1, 2018  Section 14(2) – Monitoring • Detect authorized users doing unauthorized actions  Section 15 – Encryption of data in motion AND AT REST • Wherever it lives • If infeasible, implement compensating controls

  33. September 2018 Requirements  To be implemented by March 1, 2019  Section 11 – Third party service provider security policy • To ensure the security of systems and NPI held or accessed by third parties

  34.  Gramm Leach Bliley Act (GLBA) --1999  Massachusetts 201 CMR 1700 – 2010  California 1798.81.5 – 2015  Consumer Financial Protection Bureau- -2010  New York DFS 500—2017 What’s Next?

  35. What’s Next?  Benjamin Lawsky - former New York State Department of Financial Services ( NYDFS ) Superintendent  Dieter Raemdonck, Associate– Lewis Roca Rothgerber Christie - Lobbyist CMLA  Julie Waggener, Partner - Hoffman Crews Nies Waggener & Foster LLP – CO Real Estate Commission  Marsha Waters, DORA Director of Division of Real Estate  Pat Zenzola -lobbyist California Mortgage Banking Association (Multi-state lenders keep ear to the ground)

  36. Trump = No New Regulations?

  37. Treasury Secretary Steven Mnuchin said on Nov. 2, 2016 that because the safety of the financial system is critical, he has made cybersecurity his top technology priority. He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.

  38. New Cybersecurity Initiative  Advanced Notice of Proposed Rulemaking (APNR)  Joint rulemaking by Fed Reserve Board, Office of Comptroller of Currency, and FDIC  Financial entities with $50b assets  Purpose to establish standards making the largest institutions and the U.S. financial system itself more operationally resilient to cyber attack  Includes 3 rd party servicers  Comment period over on Jan. 17, 2017

  39. Tuesday-Homeland Security Secretary John Kelly gave 1 st speech Described cyber threats as “relentless” and called cyber criminals and adversarial nation states “thieves, vandals, saboteurs, enemies of democracy and potentially so much more.’

  40. No insight into when Donald Trump would issue long- postponed executive order on cybersecurity. Kelly said he is standing by…awaiting it with “baited breath.”

  41. How long can you afford to wait? Besides your company’s reputation, what is the risk? Is there a price to be paid? Or is the best strategy to ignore the regulators?

  42. On April 12 th , OCR signed $400k resolution agreement and corrective action plan with Metro Community Provider Network to settle non-compliance issue with respect to 2012 breach. Prior to breach MCPN had not conducted a risk assessment.

  44. Contact Us

  45. One Last Thought  Huge shortage of cybersecurity professionals  Much bigger shortage of another category of professionals

  46. Questions  ?

  47. Contact Us Ray Hutchins Mitch Tanenbaum 303-887-5864 720-891-1663 rh@cybercecurity.com mitch@cybercecurity.com  To get our free weekly cyber security email newsletter, please send an email to Mitch@CyberCecurity.com

Recommend

Home Mortgage Disclosure Act: Auditing Tips 1 2 Regulation Overview Regulation Overview

Home Mortgage Disclosure Act: Auditing Tips 1 2 Regulation Overview Regulation Overview

3/13/20 Regulation Overview Home Mortgage Disclosure Act: Auditing Tips 1 2 Regulation Overview Regulation Overview Requires certain financial institutions to collect, report, and disclose The data are submitted electronically to the

250 views • 6 slides
Pain, Allostasis and Sensitization Brief overview of pain mechanisms Pain Neuromatrix Allostasis

Pain, Allostasis and Sensitization Brief overview of pain mechanisms Pain Neuromatrix Allostasis

Pain, Allostasis and Sensitization Brief overview of pain mechanisms Pain Neuromatrix Allostasis National Orthopedic Symposium 2019 Allostatic load Neural Regulation Joshua Lee PT, MSc, MPT, PhD(c) Sensitization References Pain Neuromatrix

306 views • 13 slides
Ability to Repay and Qualified Mortgage Standards Under the Truth in Lending Act (Regulation Z)

Ability to Repay and Qualified Mortgage Standards Under the Truth in Lending Act (Regulation Z)

Ability to Repay and Qualified Mortgage Standards Under the Truth in Lending Act (Regulation Z) Presented by: Thomas E. Black, Jr. Regina M. Uhl Effective Date January 10, 2014 2 General Rule Creditor shall not make a loan that is a

683 views • 37 slides
MORTGAGE TO RENT SCHEME What is Mortgage to Rent Mortgage to Rent is a Government Scheme that

MORTGAGE TO RENT SCHEME What is Mortgage to Rent Mortgage to Rent is a Government Scheme that

MORTGAGE TO RENT SCHEME What is Mortgage to Rent Mortgage to Rent is a Government Scheme that aims to keep distressed mortgage holders in their current homes, mortgage debt free. These are homeowners who are at most acute risk of losing their

320 views • 12 slides
HMDA / Regulation C Amendments New 1003 Application January 2017 1 Mission Statement - To

HMDA / Regulation C Amendments New 1003 Application January 2017 1 Mission Statement - To

Nations Direct Mortgage, LLC HMDA / Regulation C Amendments New 1003 Application January 2017 1 Mission Statement - To lead the third party residential mortgage industry by providing products and services that satisfy the needs and

697 views • 28 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part I March 20,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part I March 20,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part I March 20, 2014 Speakers John J. Sullivan, Partner, rejoined Mayer Brown after serving as General Counsel at the US Department of Commerce in 2005 and then,

497 views • 34 slides
HOME MORTGAGE DISCLOSURE ACT INTRODUCTION Regulation C is found at 12 CFR 1003

HOME MORTGAGE DISCLOSURE ACT INTRODUCTION Regulation C is found at 12 CFR 1003

HOME MORTGAGE DISCLOSURE ACT INTRODUCTION Regulation C is found at 12 CFR 1003 Requires the collection and reporting of certain home loan data Requires the collection of applicant and borrower information to assist in

155 views • 14 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

81 views • 7 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17, 2014 For nearly a decade, weve had major data breaches at companies both large and small. Millions of consumers have suffered the

645 views • 46 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014 For nearly a decade, weve had major data breaches at companies both large and small. Millions of consumers have suffered the

891 views • 42 slides
Persistent pain cycle pain Peripheral sensi2sa2on Central

Persistent pain cycle pain Peripheral sensi2sa2on Central

Pain: NWH Community Pharmacy Engagement Event January 2015 1 What is pain? Time-based classifica2on of pain

462 views • 10 slides
MANAGEMENT PLAN Courtney Reich, AICP, CFM, Goodwyn Mills & Cawood Upper Shades Creek

MANAGEMENT PLAN Courtney Reich, AICP, CFM, Goodwyn Mills & Cawood Upper Shades Creek

SHADES CREEK WATERSHED MANAGEMENT PLAN Courtney Reich, AICP, CFM, Goodwyn Mills & Cawood Upper Shades Creek 26,395 acres HUC ID 031502020301 Lower Shades Creek 44,470 acres, HUC ID 031502020303 Cooley Creek/Mud

633 views • 47 slides
Information Regulation is Tricky: Lessons from Mortgage Disclosure Research James M. Lacko Janis

Information Regulation is Tricky: Lessons from Mortgage Disclosure Research James M. Lacko Janis

Information Regulation is Tricky: Lessons from Mortgage Disclosure Research James M. Lacko Janis K. Pappalardo Bureau of Economics, Federal Trade Commission Behavioral Economics and Consumer Conference Federal Trade Commission, Washington, DC

513 views • 34 slides
Mortgage Vision Mortgage Vision Delivering customer expectations through technology Mortgage

Mortgage Vision Mortgage Vision Delivering customer expectations through technology Mortgage

Mortgage Vision Mortgage Vision Delivering customer expectations through technology Mortgage Vision Todays session Mortgage Vision By the end of the session you will be able to: Clarify the changing demands of customers Have

651 views • 21 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

330 views • 22 slides
STEVEN J. SLESS Reverse Mortgage Division Manager Primary Residential Mortgage, Inc.

STEVEN J. SLESS Reverse Mortgage Division Manager Primary Residential Mortgage, Inc.

STEVEN J. SLESS Reverse Mortgage Division Manager Primary Residential Mortgage, Inc. Mortgage Industry Veteran of 16 years Extensive track record of consumer direct marketing success Creator and presenter of the Retirement on

423 views • 28 slides
IS THERE ANY LIFE IN MORTGAGE MARKETS IN SOUTH AFRICA? September 2018 2 AGENDA 1. Mortgage

IS THERE ANY LIFE IN MORTGAGE MARKETS IN SOUTH AFRICA? September 2018 2 AGENDA 1. Mortgage

IS THERE ANY LIFE IN MORTGAGE MARKETS IN SOUTH AFRICA? September 2018 2 AGENDA 1. Mortgage access 2. Borrowers 3. Properties 4. Lenders 5. Governance 6. Next steps SARB data provides a long term perspective on mortgage activity

512 views • 49 slides
New Approaches for Chronic Pain.. Dr Suyin Tan Clinical Director Anaesthesia & Pain Mx

New Approaches for Chronic Pain.. Dr Suyin Tan Clinical Director Anaesthesia & Pain Mx

New Approaches for Chronic Pain.. Dr Suyin Tan Clinical Director Anaesthesia & Pain Mx NBMLHD Pain is EVERYBODYs problem. National Pain Plan Tertiary Multidisciplinary pain service in teaching hospital Moderate-high complexity ,

784 views • 18 slides
Chro nic Pain Afte r Surg e ry whe n ac ute pain turns into c hro nic pain Ramana K.

Chro nic Pain Afte r Surg e ry whe n ac ute pain turns into c hro nic pain Ramana K.

Chro nic Pain Afte r Surg e ry whe n ac ute pain turns into c hro nic pain Ramana K. Naidu, MD Department of Anesthesia & Perioperative Care University of California - San Francisco Director of Acute Pain Services Director of the

460 views • 20 slides
ABDOMINAL PAIN Location Work-up Acute pain syndromes Chronic pain syndromes

ABDOMINAL PAIN Location Work-up Acute pain syndromes Chronic pain syndromes

ABDOMINAL PAIN Location Work-up Acute pain syndromes Chronic pain syndromes Epigastric Pain PUD GERD MI AAA- abdominal aortic aneurysm Pancreatic pain Gallbladder and common bile duct obstruction Right

821 views • 26 slides
FFIEC Cybersecurity Assessment Tool Monday, April 6 Moderator: Austin Kilgore , Editor in Chief,

FFIEC Cybersecurity Assessment Tool Monday, April 6 Moderator: Austin Kilgore , Editor in Chief,

FFIEC Cybersecurity Assessment Tool Monday, April 6 Moderator: Austin Kilgore , Editor in Chief, SourceMedia Mortgage Group Speakers: Michael G. Morgan , Of Counsel, Jones Day Ryan Smyth , Principal- Privacy and Data Security, Promontory

433 views • 28 slides
WHY MORTGAGE CLIENTS NEED INCOME PROTECTION WHY MORTGAGE CLIENTS NEED IP HOUSEKEEPING

WHY MORTGAGE CLIENTS NEED INCOME PROTECTION WHY MORTGAGE CLIENTS NEED IP HOUSEKEEPING

WHY MORTGAGE CLIENTS NEED INCOME PROTECTION WHY MORTGAGE CLIENTS NEED IP HOUSEKEEPING Questions can be submitted in the Ask a question box below the main webinar feed If you encounter any technical issues use the support option

1.2k views • 98 slides
Chronic Pain and Neurology An Approach to Complex Patients with Intractable Pain Joanna G.

Chronic Pain and Neurology An Approach to Complex Patients with Intractable Pain Joanna G.

Chronic Pain and Neurology An Approach to Complex Patients with Intractable Pain Joanna G. Katzman MD, MSPH Chronic Pain and Neurological Disorders Headaches Peripheral Neuropathic Pain Spasticity Spinal Stenosis/Radicular Pain

865 views • 42 slides
Ultrasound Scan for Midwives: Identification of fetal head in 3 rd trimester Different shades of

Ultrasound Scan for Midwives: Identification of fetal head in 3 rd trimester Different shades of

Amar Trivedi Ultrasound Scan for Midwives: Identification of fetal head in 3 rd trimester Different shades of black and white in an image Shades of black and white in an image depend upon the tissue reflectivity of the ultrasound beam

540 views • 19 slides

More recommend