Hackers zero in on real estate pros

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.rew-online.com/2014/10/10/hackers-zero-in-on-real-estate-pros/

These days, it seems that major data breaches, identify theft and data
security are continuously in the news – and for good reason.

Computer hackers around the globe, whether organized or individuals, know
they can steal with relative impunity from the comfort and safety of their
home offices.

Yes – theft is now a work from home opportunity – and a growing one at
that. Smart identity thieves and hackers have identified the most
vulnerable companies and are now turning their focus to small to mid-sized
companies, especially real estate professionals who often hold large
amounts of transactional funds in escrow.

While regulation to protect data that is targeted has been aimed first and
foremost at financial institutions, it is now being applied to the
financial transaction supply chains, other service providers or vendors
that handle the data, and in some cases the funds as well.

So let’s talk turkey – in the real estate transaction business, we are
talking about mortgage lenders, underwriters, and title and settlement
agents.

Of course, real estate professionals are constantly engaging these supply
chains – so they are increasingly in the chain of responsibility when it
comes to protecting clients’ money and non-public personal information
(NPPI) that is coveted by on-line thieves for identity theft scams.

Lenders, regulators, and title underwriters recognize that independent
title and settlement agents (ITSAs) play a critical role in the
facilitation of mortgage finance transactions.But only now are these
smaller real estate settlement service providers beginning to invest in
network, physical and administrative security as required by Gramm-Leach
Bliley Act and FTC privacy safeguard regulations.

These mostly small and closely-held companies possess the local knowledge,
expertise, efficiency and coverage needed, and provide consumers, lenders,
and title underwriters with the ability to consummate such transactions
nationwide, with nearly unlimited scalability, on a daily basis.

Beyond ensuring that lenders are primary lien holders, the role of ITSAs
requires that they have extensive contact with consumers and lenders,
handle highly sensitive NPPI, and receive and disburse huge sums of funds
funneled through mortgage disbursement and other escrow accounts.

This requires lenders, consumers and scores of parties involved in such
transactions to reach beyond the traditional expertise of ITSAs and to rely
upon on their fidelity and adherence to a score of expanding federal and
state laws, rules and regulations.

The various regulatory agencies emphasize and generally are in agreement on
the following key points and expectations regarding lenders’ risk
management of their third-party service providers:

• - Lenders are responsible for their third-party service providers:
Lenders’ use of service providers does not diminish their responsibility to
ensure that all related activities are conducted in a safe and sound
manner, consistent with applicable laws and regulations. In fact, service
providers are subject to the same risk management, consumer protection and
privacy obligations that would be expected if a lender was conducting the
activities directly. Service providers are also subject to the same
regulatory oversight and scrutiny as lenders.

• - Reliance on third-party relationships can significantly increase a
lender’s risk profile. In particular, a lender’s strategic, reputation,
compliance, and transaction risks are all heightened by the use of
third-party service providers.

• - To control this risk, lenders should adopt a risk management process
(RADDCO). A risk management process should include: (a) A risk assessment
to identify the lender’s needs and requirements; (b) proper due diligence
to identify and select third-party service providers; (c) written contracts
that outline duties, obligations, and responsibilities of the parties
involved; and (d) ongoing oversight (monitoring) of the third parties and
third-party activities.

• - Lenders have flexibility in their oversight of third-party service
providers. A lender’s risk management system should reflect the complexity
of its third-party service provider activities and the overall level of
risk involved. Each lender’s risk profile is unique and requires a tailored
risk mitigation approach appropriate for the scale of its particular
third-party relationships, the materiality of the risks present and the
ability of the lender to manage those risks. Thus, no single system is
ideal for every lender or circumstance.

Heightened legal and regulatory compliance requirements are only part of
the picture. In addition, leading institutions have become more involved in
the regulatory arena, including multiple federal and state regulators,
lenders, and the industry trade association, the American Land Title
Association (ALTA).

Collectively, these parties aim at rendering the title and settlement
process safe and sound and ensuring it is conducted in a manner that best
protects consumers. ALTA’s Best Practices provides ITSAs with a tangible
list of critical criteria that endeavors to reconcile all regulatory
sources and industry mandates.

Compliance with ALTA’s best practices in some areas can be considered
common sense in terms of managing sensitive data within the workplace.

Physical tactics and office procedure policy can be employed to ensure data
is not easily accessible by theft of equipment or documents. When it comes
to protecting against hackers and the on-line theft and abuse of NPPI or
transaction funds, it is important to digitally protect data – whether it
is in motion or at rest.

The primary (and simplest) method to foil would-be data thieves is through
encryption software and services. While this often conjures up complex
algorithms and private keys, implementing encryption for stored data is
low-cost and easy to implement, and encryption services and solutions for
data in motion (via email and file transfer) are similarly low-cost, easy
to source and use – even for untrained recipients of encrypted messages.

While the current sensitivity and regulatory environment is not currently
focused on the real estate professional’s role in NPPI data exchange
security, clearly the “long-tail of compliance” is wagging through the
supply-chain that realtors rely upon to get their jobs done. Awareness, as
well as professional sensitivity to their need to protect NPPI and
transaction funds, is in the best interest of the industry and its valued
clients.

And now that regulators, lenders and data thieves are turning their
attention to the most vulnerable companies in this “dollar” and “data”
supply chain, real estate professionals – real estate brokers, mortgage
brokers, title & settlement agents, escrow companies, and all who traffic
in highly sensitive non-public personal information and/or transactional
proceeds – are on notice that they are being targeted.

Smart real estate professionals will see data security compliance as an
opportunity to distinguish their company from competitors and recognize
that in this new age of compliance, marketing is indeed the new marketing.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!