Cybersecurity and data privacy are of paramount concern in today’s financial services environment. Meeting compliance requirements for data security outlined in the Gramm-Leach-Bliley Act and state level requirements such as NY DFS Cybersecurity Regulation (23 NYCRR Part 500) are providing structure to our procedure. As a demonstration of a comprehensive cybersecurity program Luxury Mortgage Corp. is recommending that our vendor network complete an independent third-party cybersecurity assessment. If that is not available, at a minimum, demonstrate that they have the following cybersecurity controls in place or have a roadmap developed to deploy each specific control by a specified date:
- For security, compliance and maintenance purposes, all internal or cloud based hardware, network devices, enterprise applications maintain either the current operating systems levels and/or no less than two (2) previous release levels.
- Anti-virus / Anti-Malware software on all endpoint devices (today)
- Professional grade email with a registered domain; for example no generic @comcast.net or @gmail.com addresses (today)
- Comprehensive patch management for all devices; this includes all operating system patches and 3rd party software (today)
- Multi-factor Authentication for all remote access including webmail (September 2018)
- The ability to secure email using encryption to protect sensitive data transactions (September 2018)
- Whole disk encryption on all technology assets storing consumer data; such as Microsoft Windows Bit locker (September 2018)
- Firewalls in place between devices and the public Internet (December 2018)
- Mobile Device Management for all smartphones and tablets that are used to communicate with or store consumer data (December 2018)
Luxury Mortgage Corp. is committed to working together with our vendors to reduce the ever-growing threat posed to customers and to financial systems by cyber criminals. Our goal is to be able to identify and mitigate internal and external cybersecurity risks that may threaten the security or integrity of our customer’s nonpublic information stored on your information systems.