Cybersecurity in the Title Industry
The advent of automation in the title industry has brought with it welcome changes. Increased speed of communication, fewer human errors, and movement towards paperless closings have created new standards and improved customer service. While it is imperative to implement technology that enables us to meet these higher expectations, it comes with a unique set of risks. The extensive amount of NPI (non-public information) collected for each transaction has moved from traditional file cabinets to digital space shared by cyber criminals. Protecting customer information has always been a top priority at Two Rivers Title. In fact, all financial institutions are mandated to protect NPI. Federal and state guidelines have existed for decades. The Gramm-Leach-Bliley Act of 1999 mandated how financial institutions must handle Nonpublic Personal Information (NPI) in order to protect consumers. More recently, New York has implemented legislation requiring enhanced security testing of cybersecurity procedures. The New 23 NYCRR 500, or the New York Cybersecurity Regulations for Financial Institutions went into effect on March 1, 2017 requiring all financial services institutions (as defined in the Regulations) to formally assess its cybersecurity risks and establish and maintain a program to address such risks. Recognizing cyber threats and associated risks is the first step in reducing vulnerability. Cyber Threats Phishing Scams are the most common way hackers obtain information. Phishing is an electronic attempt to acquire NPI by pretending to be a familiar or trustworthy source. We see these every day. Staff members receive emails requesting NPI. Sometimes simply opening the email allows cybercriminals to infiltrate the system causing a data breech, or implant software which locks down the system followed by a ransom demand. This is particularly threatening in a business that handles commercial and residential transactions. Information such as social security numbers, bank routing numbers, passwords, and credit card details are all examples of information typically entrusted to the settlement agent. Identifying scams and taking measures to stop them has become part of our daily routine. Wire Transfer Fraud has quickly become the most potentially devastating phishing scam affecting the title industry. In the case of wire fraud, the hacker obtains enough NPI and company information to pose as someone recognizable involved in a closing. The client, usually the buyer, is contacted electronically and told there “has been a change in their wiring instructions” or “please send the following amount by wire ahead of the closing”. The wire transfer information is fraudulent and, if sent, the money can be lost. Unfortunately, these scams have had a lot of success. In the case of a California escrow firm, a 1.5 million “cyberheist” forced the company to close. Https://krebsonsecurity.com/2013/08/1-5-million-cyberheist-ruins-escrow-firm We recently experienced a wire fraud attempt that was potentially catastrophic. An email was sent to a client impersonating our company email. They noted the correct-date-time of the upcoming closing and requested a wire be sent ahead. An investigation showed they had hacked into a realtor’s email account who was involved in the transaction. Luckily, this client thought it suspicious that the email had come from me and not the Paralegal assigned to the deal. They called to confirm the transfer and we stopped the attempt in its tracks. Had he not made that call, the outcome could have been devastating. Preventing Cyber Scams Industry standards require measures be taken to secure NPI. Alta Best Practices Compliance, Pillar 3, calls for a comprehensive analysis, written policy and security risk management program. “The program must be appropriate to the Company’s size and complexity, the nature and scope of the Company’s activities, and the sensitivity of the customer information the Company handles.” A complete risk management program includes determining digital assets such as NPI on clients, analyzing the threats represented by each, developing an appropriate security program for each threat within the company size and ability, monitoring and reporting. Implementing a comprehensive risk management program takes a considerable amount of time and resources. To reduce your vulnerability immediately, consider taking these measures: • Teach staff how to spot fraudulent emails • Communicate potential risks to clients • Instruct all parties of a transaction to call before sending any wires, and to verbally confirm any email requesting NPI • Change Passwords Regularly Protecting Yourself if You are a Victim Unfortunately, there are times that prevention fails and you find yourself a victim. Insuring yourself and your company against potential losses can mean the difference between staying in business or being forced to close your doors. Many insurance companies offer Cyber Insurance policies to help defray costs associated with data breech, data restoration, cyber extortion, crisis management, and cost recovery and mitigation. As more cases emerge, the Federal Courts are divided as to whether the typical fidelity crime insurance policies provide coverage for cybercrimes.(https://www.law360.com/articles/961966) While researching coverage it is important to understand your particular risks and to be insured against those risks. Some companies offer a complimentary assessment of your current vulnerabilities and will work with you as you continue to implement new systems. It is crucial to buyers and sellers and all the professionals involved in a real estate transaction that a settlement agent take its role as guardian of confidential information as seriously as its role in safeguarding the funds being transferred. Matthew Cohen, Esq. is a principal and title officer of Two Rivers Title Co.