Cybersecurity: Remain Vigilant
July 25, 2019
By Vincent G. Danzi
“You may not be interested in war, but war is interested in you.”
The above phrase is usually attributed to Leon Trotsky, the Russian revolutionary of the early 20th century. Trotsky was surely thinking about the physical war that was ravaging Europe at the time and not about electronic “phishing” and “denial of service” attacks, but his overarching message is timeless. Its arc extends to today and beyond the horizons of the future: refusing to acknowledge a threat does not make it go away.
You may not be interested in cybersecurity, but cybercriminals and government regulators are interested in you and what you do to protect your clients’ information. The danger posed by concerted efforts to breach information stores has never been greater thanks to a multitude of factors. The day appears near when it may be the norm that real estate closings are conducted in completely virtual, remote form, where no human beings meet and no physical currency nor physical documentation changes hands. Evidence of such closings will only ever exist in the electronic form.
However, we don’t have to wait for the day of 100 percent virtual closings to see that the rising red tide of cybercrime already is lapping upon our shores. We are not exactly in the highlands, after all. The “traditional” real estate closing already offers a multitude of exploitable interactions and transactions. With great sums of money exchanging hands via wire transfer, and with a byzantine assembly of possible parties to a transaction, the criminal potential for electronic impersonation is substantial.
Those in the title insurance industry who are not keeping watch upon the issue of cybersecurity may be blissfully unaware of the baleful gaze of the electronic intruder. They make the very mistake that Trotsky’s axiom seeks to drive home.
A recent survey of title insurance providers conducted by ALTA provided some illuminating observations on the perception of cybersecurity as a threat to the industry and on the proactive measures taken by its members to deal with these threats.
Naturally, losses matter most when they are personal. One notable data point from the buyers suffered the loss more often than the seller by a ratio of four to one. If this was not an anecdotal result, it would seem to suggest that our insureds are squarely in the crosshairs of bad cybersecurity actors.
Of course, there are other ways one can reckon cybersecurity risk. Legal obligations under cybersecurity law present a regulatory compliance risk to organizations. Like other states, New York has been in the vanguard of promulgating regulation in cybersecurity. One of the key elements in New York’s regulation is that covered businesses must adopt a formalized company plan or program regarding cybersecurity.
A recent national survey by ALTA asked whether the companies they worked for have cybersecurity plans in place. Results revealed that over a third of the respondents either have no formalized plan or that they did not know whether their company had a plan. Presumably, if responses from providers in states that mandate having a cybersecurity plan were removed, the remaining portion of providers without such a plan would be even higher. It should be noted that the question as presented to the survey participants did not set forth any criteria for a cybersecurity program.
In New York’s regulation on cybersecurity, the term “Cybersecurity Program” is not directly defined either, but the regulation does provide a series of attributes that such a program must have (23 NYCRR 500.02). First, its animating purpose shall be to, “protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” (23 NYCRR 500.02(a)) Cybersecurity programs must also expect to consider the specific nature of the covered entity and its business model. (23 NYCRR 500.02(b)). Furthermore, cybersecurity policies shall be designed to: (i) identify, assess and defend against cybersecurity risks, (ii) detect, respond to and recover from, breaches, and (iii) fulfill reporting obligations. (23 NYCRR 500.02(b)(1)-(6))
What we refer to today as “cybersecurity” is in many ways the same subject that we were initially introduced to as “privacy,” but now bulked-up and expanded. Whereas a company’s “privacy policy” governs how a company uses and handles consumer information, the notion of “cybersecurity” is at once more narrowly focused upon electronic privacy, and yet more broadly applicable to how a company safeguards information from bad actors. Whereas a privacy policy may concern policies and procedures designed to prevent the unnecessary dissemination of personal information, recent examples of cybersecurity regulation go beyond such internal safeguards and impose obligations on companies to actively anticipate and thwart attempts by outsiders attempting to breach company data-stores. Results from ALTA’s survey suggest that this proactive approach to cybersecurity safety is steadily being adopted amongst title insurance providers.
In the survey, over 20 percent of respondents answered affirmatively to whether they conducted “phishing testing.” Phishing is essentially a crime of impersonation, and phishing testing involves planned but benign attempts to manipulate those in custody of information or money with the aim of identifying and mitigating weaknesses in the organization. Phishing testing is a sort of electronic war-gaming, and the results to this survey question suggest that title insurance providers are perhaps starting to heed Trotsky’s words.
It seems clear that cybersecurity will be an increasingly important concern to title insurance providers. Even without innovation and evolution by those who seek to breach our information systems, the inexorable migration of our financial transactions to the virtual world is happening all around us. Inevitably, more of our future transactions will take place electronically. ALTA’s recent survey on cybersecurity suggests that the title insurance industry has begun to take an interest in the electronic battlefields of our present and future. As was true in Trotsky’s revolutionary time, and as is true in our own technologically revolutionary era, we must always be vigilant.
Vincent G. Danzi, senior vice president and senior counsel for AmTrust Title, can be reached at [email protected].
Contact ALTA at 202-296-3671 or [email protected].