What are the latest best practices in ALTA Pillar 3 for title companies, their workforces, and their security infrastructures?
That’s a great question. And we’ve been getting it a lot lately from title company owners, executives, and IT teams.
So we decided to provide you with some definitive answers in this post.
Here’s what you can expect to learn:
- What Are The Changes to ALTA Pillar 3 In Version 4.0?
- What Do Title Companies Need To Know About ALTA Best Practice 3?
- What To Do Next To Prepare For ALTA Pillar 3 Compliance
Let’s get started with the basics.
What Are The Changes to ALTA Pillar 3 In Version 4.0
ALTA announced the release of version 4 of its Best Practices Framework in a letter on January 23, 2023, with an effective date of May 23, 2023, for implementation. Here’s what they had to say about Pillar 3:
Though not reflecting the full extent of the proposed changes, the revisions that have received significant areas of attention include:
Pillar 3 (Privacy and Information Security Programs to protect NPI): Updates to the physical protection of NPI, inclusion of network and cloud security of NPI, further details on coverage of business continuity and disaster recovery plans, further details on the required oversight of service providers and third party systems, use of the ALTA Cybersecurity Incident Response Plan Template as a reference document for the written incident response plan, and requiring processes for addressing breaches or unauthorized access to NPI.
That covers the new requirements of Version 4 at a high level. All of the legacy Pillar 3 requirements from Version 3.0, like annual vulnerability and risk assessments, security awareness training, etc., are also still in place.
Pillar 3 is all about protecting Non-Public Personal Information, aka NPI.
As a quick refresher, NPI typically includes a first name or initial and a last name combined with—Social Security Number, driver’s license number, state-issued ID number, credit or debit card number, other bank or financial account information.
It’s also important to note that NPI can be maintained and stored in physical and/or digital format. NPI can be contained in customer applications, transaction records, files, and other relevant customer documents and communications.
Storage for records containing NPI might be maintained physically on-premise, in third-party physical archives, or in rented or leased facilities. Electronic storage might include on-prem computers and servers, remote work computers, mobile devices and laptops, colocated computers, and cloud servers and storage.
The bottom line is all NPI must be maintained according to Pillar 3 requirements. Incidents that led, or might have led, to compromised NPI must also be reported.
ALTA has provided numerous resources to help title agencies and settlement services companies comply with Title Insurance and Settlement Company Best Practices Version 4.
But it’s important to note that these resources and documents are intended for large, comprehensive security and IT teams that are beyond the scope of most small and mid-sized companies.
That’s where we can help.
What Do Title Companies Need To Know About ALTA Best Practice 3?
We’ve summarized the new ALTA Pillar 3 requirements contained in the Best Practices Version 4 framework. This is what it looks like at a high level.
From the ALTA Title Insurance and Settlement Company Best Practices Version 4, the Pillar 3 section starts with the requirement for a WISP, or Written Information Security Plan:
[Pillar] 3. Best Practice: Adopt and maintain a written information security plan (“WISP”) and a written privacy plan to protect NPI as required by local, state, and federal law.
Establish and implement a WISP designed to protect the security and confidentiality of NPI and the security of the Company’s information systems. The WISP should include:
In a nutshell, these are the main NPI security components:
- Multi-factor user authentication
- Password management plan that requires unique login names and system
passwords to access systems containing NPI
- Timely software updates
- Physical security (including background checks)
- Network and cloud security policies to protect NPI on IT systems and infrastructure
- Development of guidelines for the appropriate use of information technology
Preparedness and Training
This summarizes the requirements of the Preparedness and Training Section:
- Establish, and periodically test, a written business continuity and disaster
recovery plan
- Establish, and periodically test, a written incident response plan designed to
promptly respond to, and recover from, a cybersecurity incident
- Periodically review the Company’s security controls and the Company’s WISP and make appropriate changes to address emerging threats and risks to the
Company’s information systems and NPI
- Establish a training program to guide management and employee compliance with Company’s WISP and awareness of current and developing cybersecurity threats
We also paraphrased the last three major requirements of ALTA Pillar 3 v4:
Comply with applicable federal and state laws pertaining to securely maintaining records containing NPI.
Select service providers, contractors, consultants, and third-party systems whose information security policies are consistent with the Company’s WISP, including software tools and resources which may have access to NPI or store records containing NPI as part of their setup or operation.
Establish a privacy policy explaining how data is collected and used and publish it on Company’s website(s) or provide information directly to Consumers in another useable form.
To sum it all up, there are significant technology and physical security measures required in the latest version of ALTA Pillar 3 for title and settlement services companies. These measures impact your choice of vendors, consultants, service providers, software, hardware, and cloud solutions.
And the new version of ALTA Best Practices takes effect on May 23, 2023.
We recognize that you’re focused on serving your clients, not on physical and cyber security policies surrounding the collection and maintenance of NPI.
That’s why it’s time to meet your ALTA Title Insurance and Settlement Company Best Practices Version 4 compliance team.
What To Do Next To Prepare For ALTA Pillar 3 Compliance
SME is here to assist title agencies from start to finish in order to successfully meet ALTA Best Practice 3. Here’s what you can expect:
- Our team will perform a pre-assessment to determine your readiness level
- Our team will lay out a comprehensive plan to help you organize your compliance efforts
- Our team will recommend and implement security products and services as directed by your team
- Our team will work with you and your team to document and report successful completion of Best Practice 3
- We’ll be mindful of your budget and timeframe for implementation
Systems Management Enterprises, Inc. is a Virginia-based Information Technology and Security Company offering a variety of purpose-built, cost-effective solutions for your business needs.
We’ve been in business for over a decade—providing infrastructure services, managed security, compliance solutions, and technical support to small and medium enterprises in the title services space.
At SME, we have the experience, expertise, services, and solutions to help you maintain a secure, always-available, compliant technology infrastructure.
Do you have questions?
We’re here to help. Call us at 703-782-9140 or Schedule Your Free ALTA Best Practice 3 Assessment Today!
