Get ready: Regulators are Looking Hard at Cybersecurity of Third-Party Vendors

Industry Update
February 20, 2016

What’s voluntary today is going to be required tomorrow

As mortgage lenders and servicers try to shore up their own systems against data security breaches, a new regulatory focus on the security practices of third-party vendors could be even more daunting.
 
A panel at the Mortgage Bankers Association’s Mortgage Servicing conference examined the data security threats servicers need to address, and one glaring area of weakness was these vendor relationships. Specifically, the panel pointed to the guidelines from the New York Department of Financial Services on this issue that are voluntary now, but are likely — even highly likely — to be required in the near future.

“We talk to regulators every day and they have made very clear that they are looking at the security of these vendors,” said Richard Hill, vice president of industry technology at the MBA and moderator of the panel.
 
Indeed, the NYDFS caused ripples of anxiety last April when they made it known that one in three banks don’t even require their vendors to notify them of data security breaches, opening a potential “back door” into the banks’ systems. The report revealed the dirty secret that has been keeping executives up at night for years — many lenders have no effective system in place to monitor their vendors’ cybersecurity, nor any idea how to even start.
 
The panel’s discussion acknowledged the complexity of monitoring vendors at such a micro level when many servicers (and one assumes, lenders) have multiple vendors covering various systems. Even those who are implementing programs with new vendors have to contend with a host of legacy vendors that may or may not still be connected to their systems.
 
The NYDFS has taken on this issue, issuing a proposal in November 2015 that outlines steps for an effective cybersecurity framework. From that proposal:
 
Second, third-party service providers often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers. A company may have the most sophisticated cyber security protections in the industry, but if its third-party service providers have weak systems or controls, those protections will be ineffective. Finally, the scale and breadth of the most recent breaches and incidents demonstrate that cyber security is a global concern that affects every industry at all levels.

There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions.
 
The MBA panel encouraged servicers to pay very close attention to these “guidelines,” which clearly lay the foundation for future regulation. Among the recommendations are a requirement to develop policies and procedures that address 12 areas, including vendor and third-party management. Within that area, the NYDFS outlines six specifics:
 
The policies and procedures would be required to include internal requirements for minimum preferred terms to be included in contracts with third-party service providers, including provisions requiring:

  1. the use of multi-factor authentication to limit access to sensitive data and systems;
  2. the use of encryption to protect sensitive data in transit and at rest;
  3. notice to be provided in the event of a cyber security incident;
  4. the indemnification of the entity in the event of a cyber security incident that results in loss;
  5. the ability of the entity or its agents to perform cyber security audits of the third party vendor; and
  6. representations and warranties by the third-party vendors concerning information security.

The guidelines also call for every financial company to designate a chief information security officer who would be required to submit annual reports to the NYDFS, and for companies to conduct annual penetration testing and quarterly vulnerability assessments.
 
It’s not hard to see why servicers and lenders should pay attention to these sweeping “guidelines.” The experts on the MBA panel urged servicers to do something — anything — to address these issues and offered several concrete ways to get started. The panel also warned that these types of checklist guidelines, while helping to keep servicers compliant, shouldn’t be confused for an actual cybersecurity plan.
 
The members of the panel, which included Thomas Clerici, information security officer at Freedom Mortgage, Joseph Dombrowski, director, product manager and chief mortgage strategist at Fiserv, and Kevin Hayes, senior principal at the Promontory Financial Group, acknowledged that security breaches are more a matter of when, not if, and emphasized that the steps servicers take to follow these vendor guidelines before a breach could be a significant factor as regulatory bodies judge their safety.

Source: HousingWire

x

CEO

Alan Jaffa

Alan Jaffa is the Chief Executive Officer for Safeguard Properties, steering the company as the mortgage field services industry leader. He also serves on the board of advisors for SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Alan joined Safeguard in 1995, learning the business from the ground up. He was promoted to Chief Operating Officer in 2002, and was named CEO in May 2010. His hands-on experience has given him unique insights as a leader to innovate, improve and strengthen Safeguard’s processes to assure that the company adheres to the highest standards of quality and customer service.

Under Alan’s leadership, Safeguard has grown significantly with strategies that have included new and expanded services, technology investments that deliver higher quality and greater efficiency to clients, and strategic acquisitions. He takes a team approach to process improvement, involving staff at all levels of the organization to address issues, brainstorm solutions, and identify new and better ways to serve clients.

In 2008, Alan was recognized by Crain’s Cleveland Business in its annual “40-Under-40” profile of young leaders. He also was named a NEO Ernst & Young Entrepreneur Of The Year® Award finalist in 2013.

x

Esq., General Counsel and EVP

Linda Erkkila

Linda Erkkila is the General Counsel and Executive Vice President for Safeguard Properties, with oversight of legal, human resources, training, and compliance. Linda’s broad scope of oversight covers regulatory issues that impact Safeguard’s operations, risk mitigation, strategic planning, human resources and training initiatives, compliance, insurance, litigation and claims management, and counsel related to mergers, acquisition and joint ventures.

Linda assures that Safeguard’s strategic initiatives align with its resources, leverage opportunities across the company, and contemplate compliance mandates. She has practiced law for 25 years and her experience, both as outside and in-house counsel, covers a wide range of corporate matters, including regulatory disclosure, corporate governance compliance, risk assessment, compensation and benefits, litigation management, and mergers and acquisitions.

Linda earned her JD at Cleveland-Marshall College of Law. She holds a degree in economics from Miami University and an MBA. Linda was previously named as both a “Woman of Influence” by HousingWire and as a “Leading Lady” by MReport.

x

COO

Michael Greenbaum

Michael Greenbaum is the Chief Operating Officer of Safeguard Properties, where he has played a pivotal role since joining the company in July 2010. Initially brought on as Vice President of REO, Mike’s exceptional leadership and strategic vision quickly propelled him to Vice President of Operations in 2013, and ultimately to COO in 2015. Over his 14-year tenure at Safeguard, Mike has been instrumental in driving change and fostering innovation within the Property Preservation sector, consistently delivering excellence and becoming a trusted partner to clients and investors.

A distinguished graduate of the United States Military Academy at West Point, Mike earned a degree in Quantitative Economics. Following his graduation, he served in the U.S. Army’s Ordnance Branch, where he specialized in supply chain management. Before his tenure at Safeguard, Mike honed his expertise by managing global supply chains for 13 years, leveraging his military and civilian experience to lead with precision and efficacy.

x

CFO

Joe Iafigliola

Joe Iafigliola is the Chief Financial Officer for Safeguard Properties. Joe is responsible for the Control, Quality Assurance, Business Development, Marketing, Accounting, and Information Security departments. At the core of his responsibilities is the drive to ensure that Safeguard’s focus remains rooted in Customer Service = Resolution. Through his executive leadership role, he actively supports SGPNOW.com, an on-demand service geared towards real estate and property management professionals as well as individual home owners in need of inspection and property preservation services. Joe is also an integral force behind Compliance Connections, a branch of Safeguard Properties that allows code enforcement professionals to report violations at properties that can then be addressed by the Safeguard vendor network. Compliance Connections also researches and shares vacant property ordinance information with Safeguard clients.

Joe has an MBA from The Weatherhead School of Management at Case Western Reserve University, is a Certified Management Accountant (CMA), and holds a bachelor’s degree from The Ohio State University’s Honors Accounting program.

x

Business Development

Carrie Tackett

Business Development Safeguard Properties