U.S. Securities and Exchange Commission’s 2021 Examination Priorities report cover

How to Manage Cybersecurity Risks in Vendor Relationships

Extend your security bubble further than your business’s front door.

Managing cybersecurity risk is an arduous task for any organization, one that becomes even more challenging when trying to extend your security to vendor relationships. However, it has never been more important. Not only are cyber threats on the rise, but the U.S. Securities and Exchange Commission (SEC) made ensuring operational resiliency and information security one of its 2021 priorities.

Thankfully, last year the agency published a report on the due diligence companies should practice when dealing with vendor relationships. Covering the monitoring of vendors, contracts, customer information policies and other issues, the guidance provides much-needed advice for these complex business partnerships. Let’s explore some of its main tips, takeaways and findings for addressing security concerns with your vendors.

Why Does Information Security and Operational Resiliency Matter?

According to the SEC’s 2021 Examination Priorities report, breaches in information security can in fact “have consequences that extend well beyond [a] firm,” adversely impacting “other market participants.” The report further explains that, due to the radical increase in remote operations in response to the COVID-19 pandemic, cybersecurity concerns have been elevated further, requiring closer scrutiny of endpoint security, data loss, remote access, use of third-party communication systems and, of course, vendor management.

Understand Your Liability

It is a common misconception that if your vendor experiences a data leak, the onus is on them. Not true. State laws typically lay responsibility at the feet of the entity that collected the customer information in the first place. They usually limit vendor requirements to informing you that a data breach or hack has occurred. To safeguard yourself and your business, ensure that your vendor contracts explicitly detail how your customers’ data needs to be handled, what to do in the event of a breach and the expected timeline for dealing with any disruptions.

Vendor Management Programs

You likely already have some experience working with vendors, as well as an understanding of how time consuming such relationships can be. Unsurprisingly, adding cybersecurity concerns into the mix creates an additional set of concerns that need to be managed. Establishing a program that addresses security concerns and expectations at the beginning of the working relationship can help. This program should cover safeguards, how to evaluate vendors, independent audits and processes for terminating and/or replacing vendors.

Understanding and Monitoring Vendor Relationships

One positive finding from the SEC is that many advisers and their personnel already demonstrate a clear understanding of privacy and cybersecurity contract terms. Furthermore, these advisers display an awareness of the risks inherent to outsourcing work to vendors and best practices for limiting such risks. One way that companies accomplish this is through continuous monitoring of vendor relationships, making sure to stay apprised of any changes in the vendor’s services or personnel.

Ongoing Work

Despite this good news, firms cannot simply assume that their data protection policies are fully up to snuff or even rest on their laurels. Instead, they must treat vendor security as an ongoing, habitual process.

As the SEC noted, designing a vendor management program is a great place to start. Then, be sure to implement it. Build security requirements into your initial vendor contracts and make them as specific as possible. Run regular security audits, using questionnaires if necessary to rigorously evaluate your vendor’s security practices. You can also demand system and organization controls (SOC) for any vendor you choose to work with, requiring them to conduct a SOC for cybersecurity audit on an annual basis. Lastly, you and your company should be performing access and security reviews daily, always staying vigilant for unusual activity.

The hard truth is that, in our digital-first world, we all must work a bit harder to stay safe online and protect the integrity of our customers’ data. But by doing so, you will have a more resilient organization and satisfied client base. 

Confused young woman in a red striped sweater with cash on a yellow background.

Cash Offers: Title Implications and Questions

In a hot housing market, many buyers have turned to cash offers to get a leg up on the competition. Cash offers are often much more attractive to a seller, and it is not difficult to understand why. Cash can provide a pathway to a faster closing process. It frequently gives sellers more confidence. These offers even waive the requirement of having to conduct an appraisal.

Cash offers can also generate a bit of a confusion. For instance, how does eschewing a lender affect other parts of the closing process like a title search and insurance? Does it eliminate the need for insurance? If not, how and when should a cash buyer pursue title work? In this blog post, we will examine these questions.


Is Title Insurance Necessary for Cash Buyers?

          Title insurance is critical for a buyer to have regardless of whether there is a mortgage. Without a title search and resultant policy, no one is looking into who owns the property and what its issue may be. When a buyer obtains a mortgage, a title search is routine. But the contract and the obligation exist only between a lender and the title company – the buyer has no direct protection. If a defect exists, the title company is not duty-bound to fix it; instead, the buyer/owner could be liable for a lien or another defect.

          For example, consider a scenario where a home seller has a first mortgage for $100,000. A new buyer has obtained a loan for $125,000, and the property is worth $200,000 (in other words the buyer has invested $75,000 of their money). Meanwhile, there is a second valid but unknown mortgage of $50,000 against the property.

The lender uses this to assert their right to foreclosure and to take the property away. In such a scenario, the title company is required to defend the lender and protect their lien. The same can not be said for their relationship with the buyer. Instead, the buyer/owner must pay the unknown mortgage because they gave warranties of title to their lender.

Failing to do so could trigger a default. The lender, however, will not suffer losses. Under their title policy, there is enough equity to pay the newly discovered $50,000 mortgage and the lender’s debt. Without an insurance policy, the purchaser of the property could lose the title and, ultimately, their equity. They would be forced to pay the $50,000 to maintain ownership.

In each case, the seller is likely liable to the buyer for the $50,000, but when title insurance comes into play, the insurer will not only pay the loss but sue or pursue the seller for recoupment. But when there is no title insurance to speak off, all the costs fall on the buyer if they decide to sue the seller – who may not be able to pay even if the suit is successful. The same situation can develop in the case of a scam. If the seller is a bad actor and does not own the property, a buyer can wind up with nothing if no record search is conducted.  

What should be clear from that example is that, for just a nominal cost, title insurance can offer an easy remedy if there is something wrong. More importantly, it allows the buyer to know of any issues before investing money in the property. Title insurance also does not impede the advantages inherent in making a cash offer. As noted, one clear advantage of a cash offer is that it can speed up the closing process. Conducting a thorough title search does not disrupt this accelerated timeline. Typically, title work can be completed in 2-4 days and, depending on what is found, a commitment can be issued shortly afterward.

How and When Should Cash Buyers Procure Title Insurance?

When considering title insurance, an interesting question emerges regarding who gets to select the title insurance provider: broker, buyer or seller? To some extent, who does the referral and who pays for it is a matter of local practice. Typically, the party that pays makes the choice, but not always.

If possible, purchasers should maintain control over the issuer of the insurance. The buyer should want to know everything they can about the title’s status. Additionally, if the insurance provider is selected by the seller, there is the possibility that they may try to show that the title has few to no problems.

When searching for an agency, a buyer or realtor should vet the agency issuing the title commitment and verify that they are in good standing by obtaining that verification from the insurer. There is a universal ID that the American Land Title Association (ALTA) maintains and will verify an agency’s legitimacy. The insurer can also be contacted directly to verify their legitimacy. Phone numbers for the insurer are typically on the commitments or an online verification may be available at the insurer’s website. 

During a cash transaction, it is important to obtain a commitment to issue a policy from a reputable title agency or insurer as soon as possible. Receipt should provide an opportunity under the contract for purchase and sale to review and make objections – although there is usually a time limit. However, obtaining it right before closing does not allow time to object to an unacceptable defect.  

To Buy or Not to Buy Title Insurance

                It is not a requirement under the law that a cash buyer procures title insurance, so they can choose not to obtain it. However, there is no circumstance where skipping title insurance would be a good idea. Plus, with it being a relatively minor investment in the most expensive of jurisdictions, having the security that a thorough title review provides is more than worth the cost. You simply cannot put a price on peace of mind, and having a valid title policy is a great way to protect your all-cash investment.

breaking news orange

Cloudstar Outage: We’re Here to Help

AGENCY ALERT

Over the weekend, cloud-hosting and data security provider Cloudstar fell victim to a sophisticated ransomware attack. Alliant National was not impacted, however the attack has affected many agents across the country.

As a valued partner of Alliant National please know that we will make every effort to assist you and your agency if you have been impacted by this ransomware attack. During this challenging time, we are being as pro-active as possible by contacting customers and offering assistance.

Major title software vendors including Qualia, RamQuest, and SoftPro are offering hosting services to those affected by the Cloudstar attack, and there are other third-party vendors that may be able to help as well.

We have provided Alliant National forms packages to the major escrow software providers so they can be loaded quickly and easily into your environment if needed. The National Operations Center of Alliant National is on standby should you need assistance issuing individual Closing Protection Letters outside of your operating environment. We have our agency teams standing by to help you find a closing solution should you need a closing done to mitigate your reputational risk. In short, if you have a need, please reach out today to your Alliant National contact.

Please know that Alliant National will do anything possible to assist you and your agency if you are affected by this attack.

Additional information about this industry wide outage can be found here.

ISO27001 Seal of Excellence

Alliant National Achieves Coveted ISO 27001 Certification for 2021.

Longmont, Colo. – (July 8 , 2021) – Alliant National Title Insurance Company, a unique title insurance underwriter that partners with independent agents to improve their competitive position, announces the completion of the prestigious and coveted ISO 27001 certification audit for 2021.

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards, and the International Electrotechnical Commission. Successfully completing this audit reflects Alliant National’s commitment to excellence in meeting rigorous international standards in ensuring the confidentiality, integrity, availability and protection of non-public information. The recertification is valid through 2024, subject to achieving satisfactory annual surveillance audits.

“We are proud to have completed this 2021 ISO 27001 recertification audit, which continues to distinguish the unique capabilities of Alliant National,” said David Sinclair, Alliant National President and CEO. “This annual audit provides confidence to lenders, state insurance departments and our stakeholders in our capabilities to protect non-public and confidential information. It speaks directly to our ongoing commitment to meet or exceed the highest standards when securing the non-public information that we are entrusted with every day.”

Alliant National’s initial certification was issued in May 2015. It was then renewed in May 2018 and April 2021 by A-lign, an independent and accredited certification body based in the United States. To achieve recertification, Alliant National had to complete a formal, independent recertification audit which tested and validated all 117 controls within the Information Security Management System framework.

Alliant National distinguishes itself from competitors by combining strong underwriting capability with independent agents’ in-depth knowledge of local markets. The result is a nationwide network with deep roots in local communities, and a wealth of expertise that is flexible, nuanced, and continuously growing.

Visit alliantnational.com for additional information.

MEDIA INQUIRIES

Cathie Beck
Capital City Public Relation
e: cathie@capitalcitypr.com
p: 303-241-0805

ABOUT ALLIANT NATIONAL TITLE INSURANCE COMPANY

The Independent Underwriter for The Independent AgentSM – Alliant National believes in empowering people to thrive.

The company protects the dreams of property owners with secure title insurance and partners with 500+ trusted independent title agents as a licensed underwriter in 27 states and the District of Columbia.

Blue binary code background with isometric padlocks in foreground.

Protecting Customer Data

The world is awash in data. And business owners must protect their customers.

Anyone who has been paying attention over the last couple of decades knows that data is all around us. We can’t see it. We can’t touch it. But it is everywhere, informing how we work, shop, explore and entertain ourselves. Data is also extremely valuable. Advertisers covet our data. And bad actors often weaponize it for identity theft and illicit financial schemes. 

It is imperative that business leaders protect their customers’ data. Not only is it the ethical thing to do, but it is also pragmatic. The way businesses use and protect customer data is rightly coming under increasing scrutiny. Additionally, businesses that mismanage customer data can experience significant consequences to their brand and reputation. With such high stakes, it’s important to be knowledgeable on best practices for data protection. Here are some tips to get you started. 

Conduct an Audit 

The first step toward a comprehensive and proactive approach to protecting your customer base’s data is to gain a full understanding of the various types of data your business holds. Is it social security numbers? Credit card information? Online account passwords? Real estate and title insurance professionals often deal with large amounts of sensitive data. Conduct an audit to ensure that you have a full accounting for everything you and your employees hold. 

Understand the Legal Basics 

Data protection laws vary depending on where your business is and the industry in which you work. It is wise to invest the time and resources to gain a full understanding of the basics as required by law and as they apply to your specific enterprise. For instance, most people know about the Health Insurance Portability and Accountability Act (HIPAA), the 1996 federal law that stipulates that healthcare insurance industries must protect customer health information from fraud and theft. However, other state-level laws apply to all industries. Become apprised of what is required of you by law when designing data protection policies for your business. There are ample resources online that can serve as an effective primer. 

Gain Buy-In

It’s all well and good if you want to take a proactive and fastidious approach to your customers’ data, but if you have employees, you are going to need their buy-in and compliance as well. If a chain is only as strong as its weakest link, then a business can only take a comprehensive approach to data security if it treats it as an organizational priority rather than a siloed effort. 

If Possible, Throw it Out 

Only keep data you need. Schedule routine reviews of the customer data you are holding and have a process in place to decide when you can safely dispose of it. Considering that you have an ethical and often legal obligation to safeguard customer data, this can be a great strategy for limiting your company’s exposure. 

Do What You Can

Protecting customer data can be an expensive and time-consuming effort. In fact, major corporations often spend millions of dollars to secure this information. You may not have access to such resources. However, there are still practical steps you can take to operate a more data-secure shop.

Consider, for instance, limiting employee access to data, only giving them as much information as they need to effectively do their jobs. Be sure to also have a process in place for properly destroying and disposing of both physical and cyber versions of customer data. Lastly, you could even consider looking into a designated server for your most sensitive data. While using a shared server might be more economical, it carries a security risk. 

Go the Extra Mile

We know that running a title agency is no easy matter. Time is always tight, resources thin, and sometimes it can feel as if taking on a new initiative will be the straw that breaks the proverbial camel’s back. Still, it’s important to remember that customers are worth the effort. As title professionals, our customers entrust us with some of their most sensitive data, and we must do our best to protect it.

This blog contains general information only, not intended to be relied upon as, nor a substitute for, specific professional advice. We accept no responsibility for loss occasioned to any purpose acting on or refraining from action as a result of any material on this blog.

Let’s Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for
the Independent AgentSM