50 Shades of Pain Cybersecurity Regulation for Mortgage Companies - - PowerPoint PPT Presentation
50 Shades of Pain Cybersecurity Regulation for Mortgage Companies has Arrived! 26 th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High Ray Hutchins Mitch Tanenbaum Managing
50 Shades of Pain – Cybersecurity Regulation for Mortgage Companies has Arrived!
26th Annual Rocky Mountain Mortgage Lenders Expo Thursday April 20, 2017 Sports Authority Field at Mile High
Mitch Tanenbaum
Partner, CyberCecurity
Gramm Leach Bliley Act (GLBA) --1999 Massachusetts 201 CMR 1700 – 2010 California 1798.81.5 – 2015 Consumer Financial Protection Bureau--
2010
New York DFS 500—2017
What’s Next?
FTC-one of 8 federal regulatory
agencies with authority to enforce financial privacy law
State Insurance Authorities Federal Banking Agencies SEC Commodity Futures Trading
Commission
2006-FTC vs. Premier Capital Lending and
Debra Stiles
2006-FTC vs Nations Title Agency and
Christopher Likens
2007-FTC vs. United Mortgage Company 2009-FTC vs. James B. Nutter & Company
This regulation was first proposed when
Ben Lawsky was the DFS superintendent
He socialized it with regulators in all 50
states, plus national regulators
He asked for feedback and likely got it
Who Does This Regulation Affect?
At the first tier, it affects all financial
institutions licensed to do business in New York, such as banks, mortgage originators and registered investment advisors
But, there is more impact
At the next level, it impacts all vendors of
licensed entities who have access to the licensee’s data
At the next level, it impacts all vendors of
licensed entities who have access to the licensee’s data
Who does this include?
free ride as all of the big outsource providers will get in line with the New York requirements
as the group of lenders directly affected
When does it go into effect? March 1, 2017
When do all companies have to be
compliant?
9/1/18 or 3/1/19
What does compliance mean?
By February 15 of every year the Board or a
Senior officer must personally sign a statement that says:
with Part 500
No room for an asterisk on the form
What are the consequences?
The regulation will be enforced by the
superintendent, pursuant to the superintendent’s authority under any law.
Meaning fines and the potential to lose the
license to operate in the state
Who Is Exempted?
Section 19 says:
Limited exemption for covered entities with:
according to GAAP, including all affiliates
Now that we have handled the logistics,
what are the requirements?
September 2017 Requirements
To be implemented by September 1, 2017 Section 00 – Introduction Section 01 – Definitions Section 02 – Written cyber security
program similar to GLBA requirements except tailored to New York regulation
September 2017 Requirements
To be implemented by September 1, 2017 Section 03 – Cyber security policies – 14
very specific policies are required
Section 04 – Qualified person in charge of
the program – again similar to GLBA
September 2017 Requirements
To be implemented by September 1, 2017 Section 07 – Access controls – limit access
to NPI data based on need to know
Section 10 – Qualified cyber security
personnel and Intelligence
Section 16 – Written incident response (IR)
plan including processes, roles and responsibilities
September 2017 Requirements
To be implemented by September 1, 2017 Section 17 – Notices to superintendent
notification to anyone else or has reasonable likelihood of material harm
March 2018 Requirements
To be implemented by March 1, 2018 Section 04(b) – Annual report to the
company’s Board, in writing, of the state of the company’s information security program and material cyber security risks
March 2018 Requirements
To be implemented by March 1, 2018 Section 05 – Penetration testing and
vulnerability assessments –
Section 09 – Periodic Risk assessment
March 2018 Requirements
To be implemented by March 1, 2018 Section 12 – Multi factor authentication
CISO can substitute reasonably equivalent or more secure controls, if documented in writing
March 2018 Requirements
To be implemented by March 1, 2018 Section 14 – Regular cyber security training
for all personnel
March 2018 Requirements
To be implemented by March 1, 2018 Section 17(b) – Annual written, signed
certification of compliance by CoB or CEO
compliant
examination for five years
September 2018 Requirements
To be implemented by September 1, 2018 Section 06 – Audit Trails
transactions
security events
September 2018 Requirements
To be implemented by September 1, 2018 Section 08 – Application security
security testing for external software
Section 13 – Limitations on data retention
September 2018 Requirements
To be implemented by September 1, 2018 Section 14(2) – Monitoring
actions
Section 15 – Encryption of data in motion
AND AT REST
September 2018 Requirements
To be implemented by March 1, 2019 Section 11 – Third party service provider
security policy
Gramm Leach Bliley Act (GLBA) --1999 Massachusetts 201 CMR 1700 – 2010 California 1798.81.5 – 2015 Consumer Financial Protection Bureau-
New York DFS 500—2017
What’s Next?
What’s Next?
Benjamin Lawsky - former New York State Department of
Financial Services (NYDFS) Superintendent
Dieter Raemdonck, Associate– Lewis Roca Rothgerber
Christie - Lobbyist CMLA
Julie Waggener, Partner - Hoffman Crews Nies Waggener &
Foster LLP – CO Real Estate Commission
Marsha Waters, DORA Director of Division of Real Estate Pat Zenzola -lobbyist California Mortgage Banking
Association (Multi-state lenders keep ear to the ground)
Trump = No New Regulations?
Treasury Secretary Steven Mnuchin said on Nov. 2, 2016 that because the safety of the financial system is critical, he has made cybersecurity his top technology priority. He said he will use his authority as chairman
Council to push financial regulators to strengthen cybersecurity.
New Cybersecurity Initiative
Advanced Notice of Proposed Rulemaking (APNR) Joint rulemaking by Fed Reserve Board, Office of
Comptroller of Currency, and FDIC
Financial entities with $50b assets Purpose to establish standards making the largest
institutions and the U.S. financial system itself more
Includes 3rd party servicers Comment period over on Jan. 17, 2017
Tuesday-Homeland Security Secretary John Kelly gave 1st speech Described cyber threats as “relentless” and called cyber criminals and adversarial nation states “thieves, vandals, saboteurs, enemies of democracy and potentially so much more.’
Kelly said he is standing by…awaiting it with “baited breath.” No insight into when Donald Trump would issue long- postponed executive order on cybersecurity.
How long can you afford to wait? Besides your company’s reputation, what is the risk? Is there a price to be paid? Or is the best strategy to ignore the regulators?
On April 12th, OCR signed $400k resolution agreement and corrective action plan with Metro Community Provider Network to settle non-compliance issue with respect to 2012 breach. Prior to breach MCPN had not conducted a risk assessment.
Contact Us
One Last Thought
Huge shortage of cybersecurity
professionals
Much bigger shortage of another
category of professionals
Questions
Contact Us
Ray Hutchins Mitch Tanenbaum 303-887-5864 720-891-1663 rh@cybercecurity.com mitch@cybercecurity.com
To get our free weekly cyber security email newsletter,
please send an email to Mitch@CyberCecurity.com