A national survey of title agents conducted by the American Land Title Association shows that our industry has farther to go when it comes to formalizing cyber and escrow security plans.
Results of the survey also hint that the threat landscape is
becoming increasingly perilous for title agents, consumers and others involved in real estate transactions.
Of the survey’s more than 750 respondents, 63 percent said the number of cybercrime attempts targeting their company increased between 2017 and 2018.
Roughly one-third of respondents also observed increases in fraud attempts targeting buyers, sellers and real estate agents over the same period.
Many title agencies have sought to combat the worsening cyber and escrow fraud threat by means of employee awareness.
More than half of respondents said their company reminds employees about the need to remain vigilant on about a weekly basis. More than 25 percent said those employee reminders are made on a monthly basis.
However, more than 20 percent of respondents reported that their company offers no training at all on cybercrime trends or red flags.
More troubling, however, is that despite the apparent increase in fraud attempts, just 62 percent of respondents said their company has a written cybercrime response plan.
Smaller agencies — those with gross annual income below $1 million — were also somewhat less likely to have formal cyber response plans, wire retrieval plans or training programs than were larger agencies.
Survey results also show that cybercrime insurance coverage among title agents of all sizes is not as prevalent as one might expect given the apparent increase in fraud attempts. More than 27 percent of respondents said their company does not currently have a cybercrime insurance policy.
While most industry participants have made strides when it comes to protecting escrow funds and sensitive information, the survey clearly shows that gaps remain.
The survey also provides an opportunity for all of us to redouble our efforts, particularly when it comes to formalizing cyber response plans.
To help, we’ll be posting a blog series in the coming weeks that will provide simple, actionable tips for improving and formalizing response plans, as well as plans for wire retrieval and staff training.
We’ll also talk about the importance of cyber insurance and provide insight on how to get the right coverages for your business.
In the meantime, check out the growing library of cyber fraud resources on the Alliant National Education page. Alliant National agents can also watch our brand new Texas Continuing Education webinar on information and escrow security.
Cyber insurance is now critical to help protect your business.
Cyber attacks are becoming
more frequent, clever and complex. Cyber insurance is now critical
to help protect your business from major expenses, business loss, and
regulatory fines and penalties.
General liability umbrella policies typically do not cover
cyber events (Target’s insurance policy only covered
36 percent of its $252 million data breach costs).
This insurance comes in many different variations and
costs, so it is important to know what product works best for you, considering
and balancing coverage and cost.
Four key elements comprise essential coverage to protect
against data breach and loss of customer data:
E&O
Liability
Network
Security
Privacy
What is most important is that both cyber-crimes and
liability are included in your coverage.
The policy may be a standalone, or a rider on to your
existing policy. Always buy the most
compressive coverage available that you can afford.
Here is why that is so important:
Broad coverage includes both first and third-party
coverage. First party only covers your business, while third party will cover
the claims against you from customers or clients as well as related damages and
court costs.
The below comparisons show why you need both cyber-crimes and cyber liability coverage:
Event
Liability Coverage
Crime Coverage
Loss of funds (escrow and operational,
personal) due to social engineering and electronic fraud or theft
No
Yes
Fraudulent electronic transfer or
divergence of funds
No
Yes
Employee electronic theft
No
Yes
Forgery
No
Yes
Cyber extortion (ransomware)
No
Yes
Data breach expenses including legal
costs, fines or penalties
Yes
No
Loss of assets and loss of business
income
Yes
No
Recovery of systems and forensics;
reputational damages
Yes
No
Economic damages through network
security failure or failure of privacy controls
Yes
No
Consult with your insurance carrier for specific coverage
offerings and cost and weigh the decision that is right for your business and
budget.
Remember, the
broadest form of coverage will best protect you and your business so while it
may be more expensive, your business will be better protected against the risks
we face in today’s business environment.
However, we don’t have to wait until a federal law is passed that orders banks to match the payee name on the wire transfer payment to name on the payee’s destination bank account (“Beneficiary Bank”).
As title and escrow agents, we can be proactive and in partnership with the banks with which we do business.
So, what can we do right now?
First, we can know what our Agreement with our Escrow Account Bank says.
Does your Bank Agreement say that your bank will check the payee’s name with the name on the destination account when a wire fund transfer is initiated?
Or, does it say your bank need only rely upon the account number it was provided in the wiring instructions order? The answers to these questions might lead to an opportunity to have a discussion with your partnering Receiving Bank.
We can also send the wire instructions on the payment order, with explicit directions that acceptance be restricted to match the designated payee’s name on the Beneficiary Bank account. If it doesn’t match, then do not send the funds.
Lastly, if something does go wrong despite our best efforts and precautions, then notify both the Beneficiary Bank and the Receiving Bank as soon as possible. Typically, banks require notification of an unauthorized transfer or error within a defined time period such as, for example, thirty or sixty days.
Aside from any contractual or legal requirement for early notification, the sooner the problem is communicated, the greater the odds of the bank being able to halt or pull back the wire funds transfer.
Really, that statement is about getting us to seriously consider the “what if.” For instance, “what if I suffered a data breach;” or, “what if, despite my best efforts, a criminal somehow managed to divert a wire to a fraudulent account?”
Thinking about the “what if” is uncomfortable, particularly when it comes to wire fraud. We spend most of our time and effort figuring out how to avoid the “what if” scenario.
The thing is, when it comes to attempted wire fraud, experience tells us that title agents who’ve spent time planning for “what if” are the ones who tend to get the money back.
The title and settlement industry is blessed with great people, and that makes sense because our industry is built on being helpful.
We all want a smooth, efficient transaction for everyone involved. Unfortunately, our desire to be helpful and to keep things moving makes us a prime target for wire fraud.
So, how careful do we need to be when verifying the legitimacy of an email or even an incoming phone call?
Very careful.
Fraudsters know about us. They know how busy we can be, and they know how to prey on our traits to overcome our data and escrow security training.
They aren’t just looking to trick us. They aren’t practical jokers. They are truly insidious “social engineers.”
