This document summarizes a presentation on a comprehensive compliance solution called "Certification+" provided by three partner companies - PYA, Real Estate Data Shield, and Security Compliance Associates. It provides an overview of market drivers requiring title and settlement agents to improve compliance, a description of the bundled Certification+ services which include IT security assessments, training, and certification across several compliance areas. FAQs are addressed around the costs and benefits to agents of pursuing this compliance certification.
4. 4
Market Drivers
• Self-assessments no longer acceptable
• Lenders requiring 3-party certification
• 4.1.16 Equity Mortgage Bankers
• 3.24.16 Delta Community CU
• Cyber Security is No. 1 Concern for the industry
• Employees responsible for nearly 40% of all breaches
• Key lender regulators (CFPB, OCC, FDIC) published
bulletins on third-party risk management
5. 5
The Partnership
Who we are:
– PYA, Real Estate Data Shield, Security Compliance
Associates
– ALTA Elite Providers
– FNTG preferred vendors
– Best-in-Class Solutions Providers
6. 6
What is Certification+?
• Comprehensive compliance package for title agents,
settlement agents, RE attorneys, escrow companies,
notaries etc.
• Unique bundled services:
• IT security assessments (including Cyber Security)
• GLBA Compliance
• Certification of all ALTA Best Practice 7 pillars
• Employee Training
7. 7
What is Certification+?
We are a team of experienced professionals dedicated to assisting our industry
partners with meeting compliance challenges. Our executive team includes:
– A former national title underwriter executive with 35+ years of industry experience
– A state insurance department regulator
– A former title agent and current settlement firm principal with 25+ years of title and settlement
experience
– A CISSP (Certified Information Systems Security Professional) and IT security specialist with
more than 21 years supporting the US Air Force as Chief of Computer Investigations and
Operations with computer criminal, counterintelligence and counter espionage experience
– A CIPP (Certified Information Privacy Professional)
8. 8
• Affordable to both small and large agents
• Single point-of-contact
• Certification of all 7 pillars
• Gramm-Leach-Bliley Act (GLBA) Compliance
– IT and Cyber Security assessments
• World-Class employee compliance training
Agent
10. 10
Compliance Management Platform™
CEO and founder of Real Estate Data
Shield and The Gulotta Law Group, Chris
has represented institutional lenders in
mortgage finance transactions for over 25
years. He has developed compliance
management platforms and Data Security
Compliance tools for mortgage lenders,
title underwriters, independent title and
settlement agents, notaries and
attorneys. Chris is a Certified Information
Privacy Professional and sits on ALTA’s
Best Practice Task Force.
Christopher J. Gulotta,
Founder & CEO, Esq., CIPP
Paul Schwartz,
Chief Privacy Advisor
Richard Purcell,
Courseware Developer
An international expert on
information privacy law, Professor
Schwartz assists corporations and
law firms with regulatory, policy, and
governance issues. As professor of
law at UC Berkeley and Director of
the Berkeley Center for Law and
Technology, he has published widely
on privacy and data security topics.
A leading voice in consumer
privacy and data protection
challenges, Mr. Purcell is an
award-winning developer of
Web-based education and
training courses. As Microsoft's
original Privacy Officer, he
designed and implemented one
of the world's largest and most
advanced privacy programs.
11. 11
REDS 2.0
REDS 2.0 Includes:
– E-Commerce Website: Our new e-commerce website allows clients to
purchase our products and register employees directly through our
website with ease. This new web interface allows for east setup,
onboarding and management of users
– Updated Staff Training Courseware: Our award-winning courseware has
been updated and includes two (2) NEW learning modules
– Policies & Procedure Templates and Security Self-Assessment Tool:
Information Security policies & procedure templates and a company self-
assessment tool for companies to jump-start the compliance process.
12. 12
Additional REDS 2.0 Features:
– Client “Administrator” functionality allows for easy tracking of employee progress through a 2.0
dashboard.
– The new modules include our Compliance Coach Avatar “CC”, who will guide employees through the
courseware and learning process.
– The new “Preamble Module” educates employees and increases their awareness of the need to
safeguard NPPI and how to help implement Cyber Security in the office. Designed to change
corporate culture and staff behavior.
– The new “Summary Module” bolsters the educational content in REDS 1.0 with a deeper dive into
information security and the Privacy Smart® best practices.
– REDS 1.0 and REDS 2.0 were exclusively developed for the Title and Settlement industry by, (i)
Christopher Gulotta, Esq., a national recognized subject matter expert in title, settlement & Information
Security Compliance with a CIPP designation; (ii) Richard Purcell, Microsoft’s First Privacy Officer;
and (iii) Professor Paul Schwartz, of Berkeley Law School.
13. 13
Compliance Management Platform
• Compliance is the New Marketing
– Enhance your marketability by becoming a Cyber Secure environment
– Position your company to thrive in the new regulatory and contractual landscape and
“comply to survive” with the increasing regulatory standards
– Train your staff in privacy and security requirements & safeguards to better protect your
non-public personal information and escrow funds with our award-winning Data Security
Awareness Courseware
– Demonstrate internal controls that comply with federal and state consumer privacy and
security laws, rules, and regulations using our Information Management Compliance
Manual with guidelines, procedures and policy templates
– Assess your overall compliance with an assessment of vulnerabilities to reveal gaps and
pinpoint critical areas for remediation
• Compliance Management Platform™
– Prepare your company for lender compliance audits and contractual scrutiny
– Privacy and security law and regulations require it and regulators enforce it
– Lenders will contractually mandate it in the Post-TRID environment
14. 14
Compliance Management Platform Components
• Threats and
Vulnerabilities
• Controls and
Safeguards
• Information
Management
Governance
• Security Infrastructure
– Physical and
Technical
• Employee Awareness
Risk Self-Assessment
• Consumer Privacy
• Employee Data
Protection
• Acceptable Use of
Company Resources –
Employees
• Information Security
• Information
Management – Third
Parties
• Security Breach
Management
Policies & Procedures
• Information Management
for Real Estate Settlement
Services Companies (title,
settlement, attorneys,
notaries, escrow
companies, etc.)
Staff Training 2.0
22. 22
Compliance Management Platform™
• Information Drives the Digital Economy
– Advanced technologies have created efficiencies
– Regulators are focusing on how transitions to digital information management require
oversight of critical financial services
– Major players are turning scrutiny toward service providers to protect their interests
• Compliance As a Required Competency
– Comprehensive information management programs with documented policies and
procedures
– Regular risk assessment evaluation to detect and correct vulnerabilities
– Company-wide awareness and training communications
• Real Estate Data Shield’s Compliance Management Platform™
– Guidance and templates for a comprehensive program, fully documented
– Self-assessments for adherence to regulatory and best practices standards
– Award-winning web-based training supported by robust reporting
You can only manage what you can measure
23. 23
Christopher J. Gulotta, Esq., CIPP
Founder & CEO
Real Estate Data Shield, Inc.
(212-951-7302
*cgulotta@redatashield.com
For Marketing & Sales Inquiries:
Maria Meyers
Director of Marketing & Sales
( 212-951-7302
*mmeyers@redatashield.com
26. 26
pyabestpractices.com
Complimentary tools for Fidelity agents
• Gap Analysis: evaluation of policies and procedures
• Readiness Tool: Short questionnaire by pillar to
gauge compliance
Tools for Agents
27. 27
Menu of Engagement Types
As a public accounting
firm, PYA can work
along with SCA and
REDS to provide
higher levels of
assurance such as
SOC 2 or
examinations, if
necessary.
30. 30
SCA Background
• Founded in 2000
• Tampa’s 30th Fastest Growing Co - 2013
• Over 3,000 Assessment Assignments Completed
• Three Verticals – Coast to Coast
– Title & Settlement
– Financial Institutions (Credit Unions, Banks, Investment Firms
– Healthcare
• 35% Growth Since 2009
• 20 Team Members and Growing
• ALTA Elite Provider
31. 31
Engineer Certifications
• CISSP – Certified Information Systems Security Professional
• CISA – Certified Information Systems Auditor
• ISSMP – Information Systems Security Management Professional
• ISSAP – Information Systems Security Architecture Professional
• CEH – Certified Ethical Hacker
• CPT – Certified Penetration Tester
32. 32
Our Services
• External & Internal Vulnerability Assessment
• External & Internal Vulnerability Scans
• ALTA Best Practices Pillar 3 Certification –
Protection of NPPI
• GLBA Gap Analysis
• Cybersecurity Gap Analysis
33. 33
Our Services
• IT Risk Assessments
• InfoSec Controls Review
• Social Engineering
• Physical Security Review
• Network Architecture Review
• DoS Assessment
36. 36
FNTG Agent Benefits
• Legal Compliance as a Financial Institution
• Uncover vulnerabilities
• Become Cyber Secure
• Mitigate risks
• Access to IT Security expertise
• We help agents sleep at night
37. 37
FAQ’s
• What is the difference between a certification,
an examination, a SOC 1, or a SOC 2?
• What is the cost?
• My agents’ lenders have not requested a third-
party certification yet so why do I need
Certification+?
38. 38
FAQ’s
• What if my lender requests a higher level of
certification after I have completed a
Certification+ engagement?
• How do agents initiate the process?
• How do all three companies coordinate the
engagement behind the scenes?
39. 39
FAQ’s
• Where can I send agents for additional
information?
• What is involved in a GLBA assessment?
• What are common IT security remediation
items, and how does SCA assist?