Heeding Momma’s advice, or dealing with the consequences


When we were children, our mothers told us to “eat a good breakfast,” “always eat your vegetables,” and “get plenty of exercise.”  As we grew older, their advice focused on more important life choices such as “don’t do drugs,” “don’t exceed the speed limit,” and “don’t hang out with the wrong crowd.”  Our mothers didn’t dispense this advice just to make our lives more difficult.  To the contrary, this advice was offered in hopes we could avoid the inevitable ill consequences that arise from not following such advice.

But, now we’re in the business world, and as title executives, we encounter things our mommas never taught us.  So, we must draw from all legitimate available resources in structuring our business dealings for best possible outcomes.  In this blog, we’ll cover some cybersecurity tips and best practices advice our mothers could never have anticipated.

Advice your momma never gave you

While our moms provided a plethora of guidance for our personal lifestyles, lawyers, industry regulators, judges, and other professionals are whom we must look to as sources of behavioral business advice.   Even then, despite our best efforts, we must anticipate and prepare for consequences resulting from any missteps or situations beyond our control.

In light of the recent “misdirected wire transfer scams” and “ransomware attacks,”  it’s important we seek sound advice to avoid becoming a victim of cyber criminals.  PYA Information Technology Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant says, “Accepting a verbal confirmation that your systems are patched and up-to-date is an unacceptable form of management.  Senior leadership should require vulnerability scans and reports that show the status of all devices in the network.   It’s not just about ransomware, it’s about the vulnerability of the device.  When it comes to cybersecurity, a single hole could sink the entire ship.”  Mathis recently authored a blog, “‘WannaCry’— Actions Your Healthcare IT Professional Wants You to Take Now,”  for healthcare providers that offers some important tips also applicable to other industries.

Another recent blog, “8 Steps to Avoid Being the Victim of the Next Ransomware Attack,”  from Morrison & Foerster LLP, offers good advice that title agencies and law firms should employ to minimize this risk, including:

  1. Making sure software patches are routinely applied.
  2. Using only supported operating systems and other software, if possible.
  3. Using anti-malware and anti-virus software tools and services.
  4. Backing up critical data.
  5. Training employees to spot phishing emails.
  6. Creating a cross-functional incident response plan.
  7. Practicing response to a ransomware attack in a table-top exercise in order to “hit the ground running” when this type of event occurs.
  8. Establishing or enhancing relationships with law enforcement and other critical partners.

A slightly longer list of recommendations appears in a free, easy-to-follow e-book written by attorney Brian Focth, “12 Steps for Cybersecurity: A Guide for Law Firms.”  None of these suggested actions are particularly difficult to implement, and just like following your momma’s lifestyle advice, you would be much better off taking these simple steps.

Simple, eh?  Despite our best efforts, we’ll likely stray from well-reasoned business advice and fail to perform one or more recommended actions.  But, even more troubling, is that even 100% completion of each recommended action is no guarantee that a cyberattack won’t happen.  And for that, we must prepare for any consequences.  In this business context, cyber-insurance coverage is one of your best defenses.

Protecting against inevitable consequences will require some investigation

The challenge is that while most businesses already have “professional liability” and “general commercial liability” policies in place, most don’t know what is actually covered or excluded under those policies.  Remember that, although you paid a premium for protection against a series of different risks, you can only be sure that the risks you want covered are in fact covered by carefully reading each policy.  Here’s another piece of advice worth following: “Read your policies before you have a loss incident.”

This is where some business advice is really needed.  Many business owners ask, “If I read an insurance policy, what should I look for?”  A helpful blog on this topic, “No More Tears: Insurance Coverage For The ‘WannaCry’ Ransomware Attack,” was recently published by Tyrone R. Childress, Richard DeNatale, and Jason B. Lissy, all lawyers with the Jones Day law firm.  The blog notes that of the approximately 70+ cybersecurity insurance carriers offering cybersecurity policies, none are the same.  As a result, any policy you have, and any that you are proposing to secure, should be carefully evaluated to ensure coverage of the specific risks for which you are concerned.  Many of the policies will not address specific risks, or will exclude coverage for certain risks, but insurers point out that, in most cases, these policies can be customized to meet your needs through available endorsements that add coverage or delete exclusions.

My advice is to become familiar with the variety of both first-party and third-party coverages that carriers offer so you know what to look for and what to ask for if it is not covered.  A great resource for understanding and evaluating the types of coverages and policies available is an article, “Cyber Insurance for Law Firms,” written by Jeffrey A. Franklin, Esq., in the May/June 2016 issue of GPSolo, an American Bar Association publication.

Overlooked benefit to implementing recommended cybersecurity measures

Finally, you must remember that policy premiums vary, based upon the carrier’s assessment of its risk of loss.  Just like a life insurance carrier is going to charge more for a person with diabetes and high blood pressure, a cyber insurance carrier is going to charge more for those who can’t provide proof of having: timely applied software patch updates, conducted adequate staff training for detecting phishing attacks, or implemented security safeguards such as use of strong passwords.  Your ability to demonstrate that your office exercises industry Best Practices, like those covered in Pillar 3 of ALTA Best Practices, will have a significant impact on what you pay for needed coverage.

If you are serious about doing all you can to avoid becoming a victim of cybercrime, adopting and actually implementing the procedures outlined in Pillar 3 of ALTA Best Practices is the best tactic you can employ.  However, even this can’t ensure you won’t become a victim.  Securing a broad-based cyber insurance policy providing protection against financial loss is your next best hedge against this ever-present risk.  However, you can maximize these efforts by achieving a certification of compliance through a qualified, independent third party.  By taking this additional step, you can earn a substantial discount on the premiums charged by the cyber-insurance carrier and use this discount to defray the cost of the certification.  In the end, successfully completing an assessment for compliance with ALTA Best Practices can not only demonstrate the desirability of your firm to lenders, but help you substantially minimize the cost of protection and any actual financial loss that will arise when a cyber-attack on your firm inevitably occurs.

In conclusion, there are three excellent reasons you should consider securing a Best Practices certification of compliance:

  1. You can minimize many of the dire consequences that naturally arise from failing to completely follow good industry advice.
  2. You can achieve substantial savings on the costs of cyber insurance.
  3. Your momma would be proud of such a decision.

On My Soapbox—Is it Fair to Make Title Agents and Law Firms Prove Compliance with Best Practices?

For those in the title and legal industries, it can be more than a little annoying to have one’s role in representing lenders characterized as merely that of “third-party service provider.”  Title agencies and law firms perform the same trusted services for the lending community today—handling confidential bank client information and millions of dollars of lenders’ funds, as they have day after day for the last half century!

That being the case, why are title agencies and law firms now being required to jump through hoops to prove they are in compliance with either newly imposed bank standards or ALTA Best Practices?  Can anyone point to an explosion of cases where title agencies and law firms providing services to bank clients have been repeatedly harmed?

The short answer is “no”—currently there is no extensive list of data breach cases that could give rise to the conclusion that any sort of crisis has arisen from dealing with title agencies and law firms.  For those two specific industries, there is almost nothing that lenders can point to and say, “That’s why we need to make every one of you prove that you are following existing law.”  To the contrary, many in the title and legal industry want to tell the lending community, “We are doing a good job, and there is no reason to make us prove compliance when there is no proof of non-compliance.”

Unfortunately, there are some highly visible examples of other bank service providers who have caused the banking industry huge losses.  The following is a list of fines that were levied on financial institutions, not because of what they did, but as a result of the compliance violations committed by third-party vendors hired by those financial institutions.  The blog “Regulators Go After Banks for Vendor Management,” by Reed White, an associate in Bryan Cave’s Atlanta financial institutions practice, outlines the following examples of some of the levied fines:

  • Consumer Financial Protection Bureau (CFPB): Discover Bank, $14 million civil penalty (September 2012)
  • Office of the Comptroller of the Currency (OCC): American Express Bank, estimated $6 million in restitution (September 2012)
  • CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
  • CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)

Continue Reading