New York Tech Regulations May Spread

Mortgage professionals nationwide should take note of new cybersecurity rules

The state of New York adopted a cutting-edge set of cybersecurity-compliance requirements in the waning days of 2016 that apply to any organization that reports to its Department of Financial Services (DFS). The regulation, known officially as 23 NYCRR 500, will affect a wide array of industries that do business in the state and with New York organizations or residents. This includes commercial and residential real estate financing professionals — such as mortgage brokers and servicers.

Key Points
New York’s new cybersecurity law (23 NYCRR 500) includes the following requirements:

Conduct penetration testing and vulnerability assessments;
Establish an audit trail and determine access privileges;
Implement application security and conduct risk assessments;
Identify cybersecurity personnel and intelligence;
Develop a third-party service-provider security policy;
Implement multifactor authentication;
Devise limitations on data retention and establish training and monitoring programs;
Ensure the encryption of nonpublic information; and
Ready an incident-response plan, and follow through on notices to the DFS superintendent.

The regulation provides for limited exemptions to some of these requirements, but all organizations regulated by the state’s Department of Financial Services (DFS) must comply with some of them.

Specifically, the new requirements mandate that organizations overseen by New York’s DFS must comply with regulations designed to anticipate, address and thwart cybercriminals. “This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion,” the 23 NYCRR 500 regulatory language states.

While any mortgage professional working in the state of New York will almost immediately be impacted by 23 NYCRR 500, mortgage professionals throughout the country also should pay attention to the Empire State’s new requirements. In addition, businesses in virtually every industry face new and growing threats from cyber criminals, so other state governments are already taking notice of New York’s actions and may consider adopting similar requirements to safeguard personal and financial data.

Mortgage professionals who take action now will not only be ready for mandated compliance requirements if and when they do take effect within their jurisdictions, but they also will be taking steps to protect their clients’ information. That is obviously a good business practice and, potentially, a market differentiator for first movers.

Broad reach

New York’s new cybersecurity law became effective March 1, 2017, but there is a transitional period of 180 days before affected organizations need to demonstrate achievement of the first round of compliance. In addition, there are some limited exemptions, which apply to DFS-regulated companies with fewer than 10 employees, including any independent contractors, based in New York, or less than $5 million in gross revenue in each of the last three years — or which have less than $10 million in year-end total assets.

Additionally, covered entities that do not directly or indirectly operate, maintain, utilize or control information systems also are granted exemptions. Those companies that qualify for the limited exemptions must file a notice of exemption with the DFS on or before Sept. 1 of this year.

Companies that meet the established thresholds are exempt from the most onerous and costly elements of the new regulation. Even so, some of the requirements of the law represent best practices that aren’t terribly expensive or difficult to employ. A qualified information-technology (IT) or technology-security company can help put them in place quickly and easily.

“ Mortgage professionals collect, compute and share a great deal of sensitive information on a daily basis. ”

Even with the available exemptions, these new requirements will still significantly impact thousands of businesses throughout New York, as well as those located outside of the state but which conduct business in New York — such as a Connecticut mortgage broker working with a developer who is looking to purchase commercial real estate in New York.

These mortgage professionals should be aware of what they need to do, and how soon, in order to leave enough time to comply with 23 NYCRR 500. In addition, companies not operating in or connected to the state of

New York should still take the time to learn about the compliance requirements, and mentally audit their businesses to determine how far behind the curve they might be should similar requirements be enacted in their respective states.

Making the grade

For New York mortgage companies that fall under the oversight of the DFS, proposed requirements that need to be met by Sept. 1, 2017, include the following:

Establishing and maintaining a cyber-security program;
Implementing and maintaining a cybersecurity policy;
Designating a qualified individual (internal or outsourced) to serve as chief information security officer (CISO);
Limiting user-access privileges as part of the cybersecurity program;
Utilizing qualified cybersecurity personnel;
Establishing a written incident-response plan;
Notifying the DFS of cybersecurity events as required; and
Filing a notice of exemption.

An annual certification of compliance must be submitted to the DFS by covered entities, including mortgage companies, by Feb. 15, 2018. In addition, by March 1, 2018, the new law requires that the CISO deliver an annual report to the board or governing body of the company. Also by that date, companies subject to the full regulation must begin conducting annual penetration testing, bi-annual vulnerability assessments and periodic risk assessments; establish multifactor authentication (if needed); and provide regular cybersecurity-awareness training for all personnel.

As of Sept. 1, 2018, companies will need to have established audit trails as well as procedures, guidelines and standards for developing in-house applications. In addition, they must have established policies and procedures for data retention and disposal, initiated monitoring of authorized users and encrypted data both in transit over external networks and at rest. Within two years (March 1, 2019), organizations are expected to have implemented written policies and procedures to ensure security of nonpublic information that is accessible to, or held by, third-party service providers.

Mortgage professionals should carefully examine what levels of internal IT capabilities their businesses already possess and move forward from there to determine how best to meet these compliance requirements — or how to better position their companies should similar cybersecurity regulations be enacted in states in which they operate.

This review is an opportunity to make sure the business is doing all it can to protect its clients’ confidential information, because a cybersecurity breach likely would result in much worse ramifications than simply being noncompliant with the requirements. It could result in additional lawsuits and significant loss of business.

Operators of smaller organizations with no current internal IT capabilities should look for an IT service and security provider familiar with the regulations of 23 NYCRR 500 that can offer a turnkey solution with a package of services that meets all of the requirements set forth in the New York law. Small and midsize mortgage businesses with some internal or outsourced IT capability might need to work with an IT service and security provider experienced in cybersecurity solutions that can ensure compliance with every regulatory provision.

Larger companies with established internal IT departments might only need help complying with one or two of the provisions of the regulation. In these instances, the companies should look to partner with an IT provider that can offer à la carte services based specifically on the requirements of 23 NYCRR 500.

• • •

Mortgage professionals collect, compute and share a great deal of sensitive information on a daily basis. Whether they’re operating in New York or New Mexico, it’s in the best interest of their businesses — and their clients — to ensure they are protecting this data to the best of their abilities.

The state of New York’s regulation 23 NYCRR 500 outlines worthwhile steps to ensure the security of this data and of a mortgage company’s daily operations. It also offers a preview of potential regulations coming to more states in the not-too-distant future.

By Al Alper, founder and CEO, Absolute Logic

As Published:
“New York Tech Regs May Spread,” Scotsman Guide, April 2017