Matthew Speakman on what’s driving homebuyer demand

Zillow Economist Speakman explains what Zillow’s recent report on homebuyer demand tell us about the current state of the housing market.

Record low mortgage rates hold steady at 2.72%

This is the second week in a row rates have sat at the lowest recorded level in the survey’s near 50-year history.

What Yellen as Treasury Secretary would mean for housing

Experts weigh in on former Fed Chair’s possible impact on GSE reform and how she could jumpstart the economy.

Building the one-touch digital mortgage

As Katherine Campbell drives toward a one-touch mortgage, she’s taking time to share what she has learned along the way.

Politics & MoneyMortgageOpinion

[PULSE] Lessons for lenders from the first cybersecurity enforcement action by NYDFS

Empowering your Chief Information Security Officer is key

Three years after enacting one of the country’s most exacting cybersecurity regulations, the New York State Department of Financial Services recently filed its first cybersecurity enforcement action.

In its July 21, 2020, statement of charges, NYDFS alleged that First American Financial, one of the country’s largest title insurers, failed to properly respond to a security vulnerability on its website. After a penetration test uncovered the vulnerability, First American misclassified the vulnerability’s risk, failed to properly investigate the vulnerability and the resulting exposed documents, and rejected the recommendations of its in-house cybersecurity team.

As a result, NYDFS alleges that the insurer’s website exposed millions of documents containing consumers’ nonpublic personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ licenses. NYDFS seeks civil monetary penalties that could leave First American exposed to millions in liability.

While we await the results of the NYDFS’s hearing scheduled for October 2020, several key lessons can be learned from this enforcement action:

First, expect cybersecurity to remain a regulatory focus. The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for the NYDFS, even during the COVID-19 pandemic. NYDFS-licensed mortgage lenders are required to attest annually to compliance with the state’s cybersecurity requirements, which were enacted in March 2017.

If your mortgage company has attested to compliance but has not fulfilled NYDFS requirements — such as multi-factor authentication, cybersecurity training for employees, encryption, and penetration testing — you should prioritize completion as soon as possible.

Second, centralize controls and empower your Chief Information Security Officer (CISO). NYDFS alleges that First American’s controls and training were decentralized, and the company’s CISO was given limited responsibility for implementing cybersecurity processes throughout the company. Many mortgage lenders outsource the CISO function based on limited internal capabilities and capacity, as permitted by NYDFS regulations.

Nevertheless, it is important to ensure that outsourced CISO recommendations are heeded by a mortgage company’s top management. Controls and training should be implemented consistently company-wide, rather than allowing each business unit to implement its own processes.

Third, involve outside counsel when sensitive cybersecurity issues arise. The NYDFS’s charges reveal First American’s employees’ internal confusion and disagreements about how to address the vulnerability. Outside counsel can coordinate a response and minimize the chance that employees will prematurely speculate, and arrive at conflicting conclusions, about a security vulnerability.

And, outside counsel can establish an attorney-client privileged channel for communications, which will reduce the likelihood that unflattering documents relating to a data incident will become evidence in a legal proceeding. Mortgage lenders should retain, or at a minimum identify, competent cybersecurity counsel before cybersecurity issues arise.

Fourth, use outside cybersecurity experts. Under the direction of outside counsel, outside cybersecurity experts should be engaged to provide an independent, objective assessment of cybersecurity issues. This is preferable to relying on a mortgage lender’s own employees, who may be tainted by conflicts of interest.

Involving outside cybersecurity experts will also lessen the possibility that a mortgage lender’s employees will have internal disputes on how to respond to a cybersecurity issue. From the perspective of employees, these internal disputes can destroy morale. From the perspective of the NYDFS, these internal disputes can be problematic.

Leave a comment

Most Popular Articles

Fannie Mae, Freddie Mac conforming loan limits increase for 2021

The Federal Housing Finance Agency announced new conforming loan limits for Fannie Mae and Freddie Mac for 2021. The increase is up 7.5% from 2020’s limit of $510,400 and marks the fifth consecutive year of increases.

Nov 24, 2020 By

Latest Articles

Compass eyes IPO in 2021: report

Venture-backed residential brokerage Compass has hired bookrunners ahead of an independent public offering in 2021, according to a new report.

Nov 25, 2020 By
3d rendering of a row of luxury townhouses along a street

Log In

Forgot Password?

Don't have an account? Please