Bulletin: SLS00160
Dear Associates:
The Gramm-Leach-Bliley Financial Services Modernization Act (G-L-B) protects the privacy of nonpublic personal financial information relating to consumers and customers (Customer Information). Bulletin NL000103 discusses G-L-B and existing requirements.
Safeguarding Nonpublic ...
Unlock tools and resources designed exclusively for title professionals. Access bulletins, underwriting manuals, and state-specific guidance, all in one place.
THIS BULLETIN IS FURNISHED TO INFORM YOU OF CURRENT DEVELOPMENTS. AS A REMINDER, YOU ARE CHARGED WITH KNOWLEDGE OF THE CONTENT ON VIRTUAL UNDERWRITER AS IT EXISTS FROM TIME TO TIME AS IT APPLIES TO YOU, AS WELL AS ANY OTHER INSTRUCTIONS. OUR UNDERWRITING AGREEMENTS DO NOT AUTHORIZE OUR ISSUING AGENTS TO ENGAGE IN SETTLEMENTS OR CLOSINGS ON BEHALF OF STEWART TITLE GUARANTY COMPANY. THIS BULLETIN IS NOT INTENDED TO DIRECT YOUR ESCROW OR SETTLEMENT PRACTICES OR TO CHANGE PROVISIONS OF APPLICABLE UNDERWRITING AGREEMENTS. CONFIDENTIAL, PROPRIETARY, OR NONPUBLIC PERSONAL INFORMATION SHOULD NEVER BE SHARED OR DISSEMINATED EXCEPT AS ALLOWED BY LAW. IF APPLICABLE STATE LAW OR REGULATION IMPOSES ADDITIONAL REQUIREMENTS, YOU SHOULD CONTINUE TO COMPLY WITH THOSE REQUIREMENTS.
SAMPLE PROGRAM - CONSULT WITH YOUR COUNSEL IN PREPARING A WRITTEN PROGRAM
SISCO Information Security Program
PURPOSE OF THE PROGRAM
The purpose of the Stewart Information Services Corporation (SISCO) Information Security Program is to outline the administrative, technical, and physical
safeguards designed to:
· Ensure the security and confidentiality of SISCO customer information
· Protect against anticipated threats or hazards to the security or integrity of such information; and
· Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
SCOPE OF AUTHORITY
All employees, affiliates, contractors, temporary workers, vendors, and other third-party personnel who have been commissioned by SISCO to handle customer information are governed by this program. In turn, this Information Security Program is governed by applicable state and federal regulations in compliance with Title V of the federal Gramm-Leach-Bliley Financial Services Modernization Act (G-L-B).
ASSIGNMENT OF RESPONSIBILTY
The Board of Directors has appointed the Chief Information Security Officer (CISO) to be responsible for implementing and administering the Information Security Program. The CISO reports to the SISCO Board's Audit Subcommittee and provides quarterly updates on the overall status of the Information Security Program including:
· Current risk assessment, management, and control activities
· Service Provider arrangement concerns
· Overview and status of known security breaches, violations, or other concerns
· Summary results of security testing procedures
· Recommendations for program modifications or enhancements
RISK ASSESSMENT
On-going internal and external vulnerability assessments will be conducted for the current high risk areas of the corporation. These assessment will be designed to identify technical and procedural vulnerabilities as well as the effectiveness of existing security policies and procedures. Additionally, the CISO will maintain a Corporate Risk Assessment Grid comprised of various anticipated risk factors, weighted with their forecasted probability, resulting in a calculated risk value for a variety of technology systems, procedures, and data sources. The Risk Assessment Grid will be reviewed and updated on a quarterly basis.
RISK MANAGEMENT AND CONTROL PROCEDURES
The following security measures will be routinely employed to ensure the security, confidentiality, and integrity of all non-public customer and corporate information:
· All corporate applications will require individual user access controls and only specific access required to perform assigned duties will be granted.
· Security awareness issues will be communicated to all employees to reduce the probability of unauthorized individuals fraudulently gaining application access information.
· Physical security measures will be implemented at all locations where customer information is stored and at all corporate data center locations.
· Encryption technology will be employed for confidential corporate or customer information that is transmitted electronically over the Internet.
· A change management process will be implemented to ensure that all production system modifications are consistent with the Information Security Program.
· Information systems will be actively monitored to detect actual or attempted attacks on or intrusion into customer system information systems.
· An incident response procedure will be implemented to outline specific actions to be taken when a suspected or actual security breach or
unauthorized access of customer or confidential corporate information has occurred.
· Corporate business continuity and disaster recovery programs will be established and maintained.
Individual policies, technical standards and management bulletins have been created to address the above concerns. These have been published on an internal web site for easy accessibility and global dissemination. Currently these documents can be found at https://itportal.stewart.com.
SECURITY TRAINING AND AWARENESS
The CISO will endeavor to promote on-going information security awareness through the following channels:
· Distribution of Employee Manuals to all employees requiring annual sign-off of agreement and compliance.
· Implementation of a security and privacy awareness Intranet web site including safeguarding customer data guidelines, incident reporting form, e-mail virus and hoax information, and other related topics.
· Regular articles published in corporate newsletters.
· Information security bulletins distributed to all employees to address security policy modifications, security alerts, and other urgent security issues.
OVERSIGHT OF SERVICE PROVIDERS
The CISO will ensure that due diligence is exercised in selecting Service Providers. All agreements with 3rd party service providers must be reviewed by Legal Counsel and include provisions for safeguarding SISCO customer information. All Service Provider contracts will require that a corporate Confidentiality Agreement be signed. When appropriate, proof that the Service Provider has met the requirements of the Gramm-Leach-Bliley privacy act will be required. Acceptable forms of proof are Service Provider audit reports, SAS 70 reports, or test by the CISO.
SECURITY PROGRAM EVALUATION AND ADJUSTMENT
The CISO will continually monitor, evaluate, and adjust the Information Security Program to account for technology changes, emerging vulnerabilities and threats, and other relevant factors that may have an impact on the security or integrity of confidential corporate or customer information.
PROGRAM MODIFICATIONS
SISCO has voluntarily adopted this Information Security Program for its sole
and exclusive use and may amend, modify, or withdraw it at any time without
prior notice.