By Bryan Johnson, IT Director, 星空传媒

Keeping your agency鈥檚 data and digital assets safe these days can often feel like a never-ending battle. Unlike you and your team, fraudsters and other criminals never take a day off. They don鈥檛 go on vacation, and they never get sick. Because of this, your agency needs a cybersecurity policy that is also always-on. While this requires many moving pieces all working harmoniously together, today we are going to focus on just one important element: passkeys.

What are passkeys and why do they matter?

You may already be familiar with passkeys. If you have an iPhone, you may have seen prompts to save a passkey for a supported app or website. If you choose to do so, you often won鈥檛 need to enter your password again on that device. Instead, you approve the sign-in with Face ID, Touch ID, or your device passcode, and the passkey authenticates you to the app or site.

Passkeys use what is known as 鈥減ublic-key cryptography.鈥� In plain English, that means that passkeys create two linked digital keys鈥攁 public key, stored by the website or app, and a private key, which stays safely on your device. These keys work together upon sign-in to verify your access, all while never exposing a password that a hacker can pick off and weaponize.

This is obviously a nice thing for consumers from a convenience perspective, but passkeys also hold numerous security advantages. Traditional passwords are more vulnerable to thieves because users often reuse them across sites鈥攎aking them easier to guess. Passkeys, on the other hand, cannot be reused, rendering that security concern irrelevant.

In addition, passkeys are never 鈥渉oused鈥� in the systems of a website or app. They stay safe on your local machine. This means that even if a company experiences a data breach (an all-too-common occurrence these days) there will be no sensitive user information to steal.

Perhaps most importantly, passkeys greatly reduce the prospect of a user getting 鈥減hished鈥� by a criminal. Phishing is one of the most common cybersecurity concerns out there. It works so well because human error often happens online and hackers have gotten very, very good at tricking people into handing over their sensitive information.

Passkeys largely negate that concern. If a cybercriminal tricks someone into going to a fake website, for example, a user鈥檚 passkey will not work on it. Or to put it another way, with passkeys, users are not at risk of accidentally giving away a reusable asset that can be exploited. In fact, they are not giving away an asset at all, but half an asset that requires the other key to work.

Make passkeys central to your cybersecurity approach

Clearly, passkeys can be just as valuable to businesses as they are to individual users, especially businesses like title agencies that must routinely protect sensitive data and user information. There are multiple systems and touchpoints where deploying this technology would reinforce your overall security posture, such as employee email, escrow and transaction systems, document portals, and any client-facing accounts where closing information may be shared.

Once you鈥檝e made the decision to deploy passkeys, the best way to start is with the systems you are using every day. Many agencies, for example, use some variation of Microsoft 365 or Google Workspace to handle employee emails and other business applications. Within these platforms, you can turn on passkey support and then start testing internally to see how it works. Once you get the lay of the land, you can expand it throughout the rest of your team.

You can, of course, build your own system, but it is generally not recommended unless you have strong identity management experience on staff. Creating your own passkey server can be expensive and time-consuming, and unless you know exactly what you鈥檙e doing, it can lead to a critical security incident.

Taking the bait

Our digital-first world is an amazing place, but it can also be a fatiguing one. While people can and must take breaks, our security systems cannot afford to. The criminals and hucksters out there are always circling, looking for a weak point in your defenses. While passkeys can鈥檛 keep all these threats at bay on their own, they can do a lot of good. Passkeys eliminate some of the most common methods thieves utilize to attack your team, harm your agency and steal your data. They disrupt routine phishing methods. And they ensure that even if you wind up taking their bait once in a while, there is nothing worth reeling in.

The post Deploy Passkeys in 2026 for Better Security appeared first on 星空传媒 星空传媒 Title Insurance Co..

By Bryan Johnson, IT Director, 星空传媒

What exactly is success鈥檚 secret sauce? Well, Malcolm Gladwell would say that repetition is the key. The writer and public intellectual once famously claimed that it takes 10,000 hours of practice to master something. I don鈥檛 know if that specific number is accurate or not, but I do know that repetition is integral to a successful cybersecurity posture for any business. One thing that makes cybersecurity so tough to get right is that an effective strategy hinges on many moving parts. Not only do you need the right technical solutions, you also must ensure employees understand the risks and practice secure habits online. Having standardized, repeatable processes can go a long way toward mitigating this complexity and keeping your business safe from harm. From my perspective, these are the top three you should focus on at your agency.

1.) Review system updates

Keeping your systems, programs and applications religiously up to date is one of the best ways to avoid compromising your business鈥檚 security. Although it seems like it should be common sense in 2025, many companies still do not do this consistently. A recent study, in fact, showed that nearly 8 out of 10 companies are running on some form of outdated technology, which can lead to significant consequences. System updates often include critical security patches. If left uninstalled, your company can become a prime target for advanced malware and cyberattack strategies. Not to mention, leaving application updates uninstalled can mess with your compliance goals and damage your firm鈥檚 reputation.

Now, I鈥檝e been in this game for a long time. I know that keeping your systems continually updated can be an annoying and, if you鈥檙e not careful, time-consuming process. According to one report, your average small- to medium-sized business (SMB) utilizes an average of 58 applications, with many requiring continuous updates.[i] That makes it essential to stay on top of this process to ensure that your team is always running the latest versions of their solutions and tools. 

2.) Review security logs

Just as important as frequently updating your systems is diligently reviewing your security logs. The average organization these days is generating more data and utilizing more network endpoints than ever before, which makes this a particularly important process to run in 2025. Some people don鈥檛 know this, but often cyber incidents aren鈥檛 immediately obvious. It鈥檚 not as if an attack happens and suddenly you鈥檙e facing a glitching computer screen or an ominous message shaking down your business for all it鈥檚 worth. Most incidents begin in a subtle and almost imperceptible fashion, which is where the utility of checking your logs comes into play. By turning this into a routine activity that you do every week, you鈥檒l be better positioned to spot potential abnormalities and take swift action on worrisome issues before they balloon into a crisis.

3.) Run security trainings

While it may come last, keeping your team current on the latest security changes, challenges and best practices is no less important than the other points on this list. In fact, it may be the most important way to ensure the safety of your entire operation. The data is clear on what can happen if you don鈥檛 take this seriously, with some reports listing human error as the origin of 95% of data breaches.[ii]  

There are a lot of best practices for running successful cybersecurity trainings. The most critical principle, though, is that they need to be mandatory and consistent. Remember, a strong, solid cybersecurity posture always requires an all-hands-on-deck approach. It only takes one user to click on a phishing email or mishandle a system password and the whole thing can fall apart.

And so, while it is never easy to add another standing meeting to the calendar, especially for busy title insurance folks, establishing a consistent, habitual training schedule is non-negotiable if you want reliable security.

It鈥檚 not as easy as 1, 2, 3, but鈥� With something as complex as cybersecurity, can you ensure success by simply making the above-mentioned processes a habitual part of your routine? Not by a long shot. Almost nothing in our digitally connected world is so simple that it can be solved with a mere three-point list. That said, practicing these processes on at least a monthly basis is a great way to be ahead of the curve. They will ensure that you have the latest security patches installed, incidents are caught early, and team members are aware of the latest cyber risks and how to avoid them. And that will put you on a defensive footing that may not be bulletproof, but is certainly better than many organizations out there.

[i]

[ii]

The post Make Cybersecurity Simpler: Three Habits For Better Business Security In 2025 And Beyond appeared first on 星空传媒 星空传媒 Title Insurance Co..

Mary Poppins鈥� famous line, 鈥淛ust a spoonful of sugar makes the medicine go down,鈥� simply does not work for compliance with FinCEN鈥檚 Residential Real Estate Rule (Final Rule). You can approach it with a good cup of coffee or tea by your side, along with your favorite tasty treat (did anyone say 鈥渓emon poppyseed cookie鈥�?), but you can鈥檛 sugarcoat the truth of it.  Collecting up to 111 data points and transcribing them into a complex reporting form promulgated by FinCEN is no easy feat. However, efforts are underway to make compliance with the Final Rule more understandable, bearable, and easier to achieve. How so, you may ask?     

In our last blog about FinCEN鈥檚 Final Rule, we briefly described a comprehensive two-day ALTA FinCEN Bootcamp training session held on June 2 and 3, 2025. Now we鈥檙e going to go a bit more in-depth with our coverage. 

Over the course of those two days, numerous speakers presented a variety of topics geared at providing background information, operationalizing advice, implementation requirements, and training materials for compliance with the Final Rule:

• Overview of Bank Secrecy Act (And Usefulness Of The Data Collected Under It)
  • Money Laundering and Real Estate
    • Real Life Examples Of Bad Actors Using Real Estate For Money Laundering; Resulting Real Estate Forfeitures And Treasury Auctions
  • 411 on FinCEN Residential Real Estate Rule (31 CFR 1031.320(b))
    • Who, What, When & How to Determine A Reportable Transaction
    • Expectations for Training, Reporting, and Record-keeping Costs
    • Penalties for Non-compliance (Civil & Criminal)
    • FAQs
    • Suggested Contractual Language for Residential Purchase Contracts
    • Suggested Schedule B-1 Commitment Language
    • Current Industry Lawsuits Against FinCEN
  • The Rule in Action (Hypothetical Scenarios)
  • How to Train Your Customers (Providing A Sample PowerPoint presentation For A 鈥淟unch & Learn鈥� That Can Be Branded And Used By ALTA Members)
  • The Collecting Is The Hardest Part (Data Points and Information Collection Forms)
  • Fun with Filing (How To Do It 鈥� Using The BSA-EFiling System)
    • Review Of 鈥淲ho鈥� Files per the Rule (i.e. The 鈥淲aterfall Cascade鈥�)
    • Designation Agreements For Someone Else to File
    • Registration For EFiling
    • System Requirements
    • Volume Of Covered Transactions
  • Training Your Staff
    • Selecting Subject Matter Expert (SME) Employees
    • Resources (FAQs, Published Rule)
    • Workflow Considerations
    • Record Retention And Storage
    • Staff Impact; Company Communications; Training for the Reporting Person

As you can see from the list above, there is a LOT to learn and do in order to prepare for the Final Rule鈥檚 impending effective date of December 1, 2025. Discussions about the new and Information Collection Forms developed by ALTA were incorporated into the training. These are complex forms intended to help the buyer鈥檚 and seller鈥檚 representatives provide all of the required data that will ultimately be included in the report to be filed through the BSA EFiling network. To access these forms via the hyperlinks provided, you must be logged into the ; these forms are available to ALTA members and to those who obtain a license to use ALTA鈥檚 policy forms. At the end of each form is a certification page for the seller鈥檚 and buyer鈥檚 representatives to sign, certifying to the completeness and accuracy of the information provided. We anticipate that these forms will be widely used across the industry, so it is important to understand and be familiar with them.

The idea behind the training is that if the rule, the requirements and the process are understood by all key stakeholders 鈥� including the real estate sales agents as well their customers 鈥� then securing their cooperation for data acquisition will be much easier for the closing agent charged with reporting to FinCEN. The ALTA Bootcamp segment entitled 鈥淗ow to Train Your Customers鈥� is tailored to educate everyone about the law and what they need to do to comply. For those of you who did not attend the Bootcamp, or who want a refresher, 星空传媒 星空传媒 plans to provide its own training to real estate sales agents toward the end of the summer and you are welcome to attend.

We have developed an 星空传媒 星空传媒 branded presentation, which you can also co-brand with your agency鈥檚 name, for you to offer to customers and real estate professionals. In addition, we will be offering a deep dive into the Final Rule starting in late summer or early fall presented by the 星空传媒 星空传媒 underwriting and education teams. This training will help you identify reportable transactions, understand available exemptions to the rule and navigate potential pitfalls which could result in non-compliance and potential penalties. The goal of this presentation will be to train our agents to be experts on the Final Rule well in advance of its December 1, 2025, effective date.  In the interim, we encourage you to monitor industry and 星空传媒 星空传媒 publications on FinCEN, review FinCEN FAQs currently available, , practice a dry run into the BSA Efiling Network, https://boir.org/, and speak to your production software vendor about their plans for an integrated filing process. It is never too early to start the process regarding the Final Rule.  

The post Preparing for the FinCEN Final Rule 鈥� and Its 111 Data Points appeared first on 星空传媒 星空传媒 Title Insurance Co..

By Bryan Johnson, IT Director, 星空传媒

Have you heard of shadow IT? The term conjures images of masked criminals poking around on your server or installing dangerous devices. Yet shadow IT is usually more mundane, referring to applications installed without IT鈥檚 permission. It鈥檚 important to remember, though, that just because something is commonplace doesn鈥檛 make it safe. Here, 星空传媒 星空传媒 IT Director Bryan Johnson explains the dangers of shadow IT and how you can combat its use.

The phrase 鈥渟hadow IT鈥� can sound scary. It evokes images of hackers lurking in some dark corner of your technology stack. Shadow IT, though, is often neither clandestine nor malicious. It merely refers to any piece of software or hardware installed by a user without an IT department鈥檚 permission. Quite often, this is done merely to gain greater productivity and involves popular applications like Gmail, VOIP apps like Skype (RIP) or even custom Excel documents. But the absence of ill intent doesn鈥檛 mean shadow IT is harmless. It can cause security problems and derail compliance. To avoid this, agencies need to understand the problem of shadow IT and have a game plan to curb its use.

Shadow IT is a growing and serious problem

The data shows that shadow IT has become an increasingly prevalent problem in recent years. For instance, one recent study predicts that by 2027, three in four workers will use technology that IT departments can’t technically “see.鈥�[i]

But it isn鈥檛 just a quantitative problem. Shadow IT also poses real qualitative issues. Another recent study took a deep dive into 鈥渕alicious requests,鈥� which occur when someone, usually a hacker, sends a request to a site, server or device with the intention of doing harm. Nearly 31% of the 16.7 billion malicious requests they observed involved unsecured APIs,[ii] which are a common attack vector that can wreak havoc on an agency鈥檚 systems.

If that wasn鈥檛 bad enough, the numbers also show that shadow IT users often have a bit of a reckless streak. A Gartner study revealed these users are about twice as likely to take risky actions as their co-workers,[iii] posing significant security risks. And with the average cost of a data breach hovering around $5 million,[iv] that’s something you never want to take lightly.

The problems involved with shadow IT go beyond security too. It can also upend your firm鈥檚 compliance. Unauthorized apps and programs often bypass normal security measures, potentially exposing sensitive data. That puts you at greater risk of running afoul of industry best practices and privacy laws, not to mention undercutting audit-readiness and increasing your liability. All in all, it can lead to problems that can be very difficult to recover from.

Putting a plan in place

Now that we can see the scope of the problem and the potential consequences involved, we can move on to the more important question: So, what can we do about it? Here are three strategies I think can be most helpful for stopping shadow IT:

• Knowledge is power: Like a lot of IT issues, one of the best ways to combat this problem is simply to talk to your employees about what shadow IT is and how it can imperil your business. If you鈥檝e built a good team, they will acknowledge the severity of the issue and take action to prevent it.
  
  
• Deter don鈥檛 punish: Alongside education, take direct action to detect unauthorized applications. Networking monitoring tools, DNS filtering and endpoint security are all invaluable for accomplishing this goal. You can also audit your cloud computing usage for greater visibility. It should be said that this strategy should always be about detecting and deterring鈥攏ot punishing. As we鈥檝e discussed, shadow IT usage often occurs to help not harm an agency. Always keep that in mind.  
  
  
• Optimize your IT infrastructure: Perhaps the best way to stop shadow IT usage is via continuous improvement of your existing IT stack. Survey your employees to understand which IT tools are helpful and which aren鈥檛 and then implement new solutions to make their workflows simpler. Be sure to review your IT governance policies alongside any improvements you鈥檙e making. Reviewing and revising these policies can improve understanding and ensure alignment around acceptable use.

Turn on the light to stop shadow IT

With all the security challenges out there, the last thing you need is to worry about what applications your employees are installing without express permission. Yet shadow IT should never be taken lightly, as it can disrupt your security and compromise important priorities, like compliance. The good news, though, is that shadow IT is rarely malicious. With a bit of education, detection, and optimization, you can shed light on shadow IT and discourage its use.

[i]

[ii]

[iii]

[iv]

The post Do You Have A Shadow IT Problem? Here’s Why You Need A Plan appeared first on 星空传媒 星空传媒 Title Insurance Co..

Here鈥檚 a riddle for the title insurance and real estate industries: what does Dolly Parton鈥檚 song, 鈥淗ere You Come Again鈥� have to do with FinCEN, its Geographic Targeting Orders (GTOs), and its Final Real Estate Report Rule (Final Rule)?  Answer: the last verse of the song repeats the lyrics, 鈥淗ere you come again . . . And here I go鈥� several times, analogous to FinCEN鈥檚 multiple, back-to-back, ever-expanding GTO鈥檚 issued since 2016, culminating in its permanent Final Rule issued on August 28, 2024, and effective on December 1, 2025, and our efforts to adapt and comply with all of its changes and requirements. 

We first published a in November of 2024 discussing FinCEN鈥檚 Final Rule, its anticipated effective date of December 1, 2025, and the  things you should be thinking about to get an early start on operationalizing compliance with the numerous requirements.  Well, a lot has happened since then鈥攍et’s bring you up to speed.

What has the industry been up to?

First of all, industry stakeholders have been diligently working to try and reduce the impact of the Final Rule on your title insurance business. Some players have even started pushing back hard against the Final Rule.

• On April 14, 2025, East Texas Title  filed suit in the U.S. District Court, Eastern District of Texas, to get an injunction against the permanent FinCen Real Estate Rule from going into effect on December 1, 2025. Some of the legal arguments:
  • Violation of the Constitution鈥檚 separation of powers 鈥� title agents should not be 鈥渇orced to perform government surveillance on their clients by reporting private information from legitimate transactions鈥�
  • Constitution only grants Congress the power to regulate commerce between states and that the federal government has no standing to require businesses to collect information on real estate cash transactions that take place entirely within Texas
  • Fourth Amendment protects against 鈥渦nreasonable searches and seizures鈥� of 鈥減ersons, houses, papers, and effects,鈥� including business record – no right to require private business to violate the privacy of Americans.
    
• On May 20, 2025, a national underwriter  filed suit against Department of the Treasury and Treasury Secretary Scott Bessent, along with FinCEN and its director, Andrea Gacki, in the U.S. District Court, Middle District of Florida, Jacksonville Division.  Some of the legal arguments set out in their complaint include:
  • The rule exceeds FinCEN鈥檚 statutory authority
  • The rule is arbitrary and capricious
  • The rule violates the Fourth Amendment prohibition against warrantless searches
  • The rule violates the First Amendment鈥檚 prohibition on compelled speech
  • The rule exceeds any authority Congress could have delegated under the Commerce Clause or its other Article I powers
    
• On May 15, 2025, ALTA made a formal appeal to the Office of Management and Budget (OMB), asking for the 鈥淎nti-Money Laundering Regulations for Residential Real Estates鈥� Final Rule to be rescinded 鈥渋f changes are not made to lessen the overly burdensome requirements on small title companies.鈥� (See )
  

Second of all, ALTA took the lead and created a working group to develop information collection forms to capture the information required for FinCEN reporting under the Final Rule.  After all, FinCEN鈥檚 initial had 111 distinct fields so there will be a good bit of information to be collected! 

Third of all, ALTA has been working on creating helpful industry training webinars.  The first of these webinars was presented in March 2025 –  Learn How Proposed Real Estate Anti Money Laundering Rule Impacts You 鈥� and is available to watch as a free recording on Youtube at .  The second of these webinars was a comprehensive 2-day FinCEN Bootcamp training session held on June 2 and 3, 2025; while the Bootcamp was not a free event, we will be sharing valuable information from it in our future blogs and in agent training currently under development.  For now, you should know that the big takeaway from the Bootcamp is that it is NOT too early to begin operational preparations for the Final Rule.  It was pointed out that orders for cash transactions received in October and November could very well close in December and therefor be subject to the requirements of the Final Rule, so processes need to be in place to recognize and capture those early orders and ensure your agency鈥檚 compliance.  In fact, settlement agents are encouraged to register for the FinCEN filing portal in advance of the Final Rule鈥檚 effective date by going to and setting up a Supervisory User Account.  You can even prepare a practice report to understand the actual process and even provide your team with training. Just do not hit SUBMIT!

Lastly, on April 17, 2025, ALTA published based upon questions from their customers.  The questions involve numerous scenarios, and the answers do a good job of interpreting and applying the provisions of the Final Rule to the hypotheticals. 

What has FinCEN been up to since it鈥檚 publication of the ? 

On November 12, 2024, it released a to implement the Final Rule.  As with the posting of the Final Rule, the posting of the draft report form also has a preamble discussion, but if you want to skip over it and hop directly to the draft report section in the Appendix 鈥� Real Estate Report Summary of Data Fields, then click here .  

On June 5, 2025, FinCEN announced that the U.S. Department of the Treasury, on behalf of FinCEN, will submit the to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995 (PRA); the public comment period on the information collection request is open until July 7, 2025.  By law, an agency cannot collect information without displaying a valid OMB number, so this is another required step as FinCEN moves forward with its plans for a final report form to implement its Final Rule.  To skip the preamble and go directly to the Appendix-Real Estate Report Summary of Data Fields, click here .  

What has 星空传媒 星空传媒 been up to?

Members of 星空传媒 星空传媒鈥檚 legal team have participated in developing the ALTA information collection forms and trainings discussed above.  We recognize that all stakeholders in this process will need education to understand the benefits of the Final Rule as well as its impact on residential real estate transactions after December 1, 2025. Stay tuned for practical 星空传媒 星空传媒 agent training webinars starting later this summer. We will also offer programs for your real estate professional partners as their support of your information collection efforts will be critical to a smooth closing under the Final Rule. We are already working to train our internal team members so you will have a team of experts at your disposal. Then we will help 鈥渢rain the trainers鈥� so you are equipped to respond and educate your business referring partners as well.  One thing is clear, moving forward the more players in your real estate transaction who are up to date with the benefits of the Final Rule and the protections it offers, the more rapidly acceptance and adaptation will follow. 星空传媒 星空传媒 will be your expert now and as the Final Rule implementation becomes part of your standard operation procedures.  

The post Ready or Not: Preparing for the FinCEN Final Rule appeared first on 星空传媒 星空传媒 Title Insurance Co..

Remember the TV show The Weakest Link? Running from 2000 to 2012, the show enjoyed quite a bit of popularity back in the day. Host Anne Robinson鈥檚 catchphrase 鈥淵ou are the weakest link-goodbye!鈥� even became part of the cultural lexicon for a moment in time. A business鈥檚 cybersecurity strategy will inevitably have its own weakest link. No matter how well designed it is, no system is invulnerable to attack. For many businesses, vendor relationships are the weakest link. There are numerous reasons for that, ranging from third-party data access to weak authentication methods. Let鈥檚 explore how you can fortify these relationships and ensure you and your favorite vendors never need to say 鈥済oodbye.鈥�

Vendors: a beneficial but potentially risky relationship

A good vendor relationship can be highly beneficial, bringing cost savings, expertise and innovation that can translate into lasting competitive advantage. However, there is no question that vendors can introduce security risks for a business. One of the most significant is the potential for data leaks. If a vendor doesn鈥檛 have good security policies but has access to a business鈥檚 critical systems, that can be a potential attack vector for criminals.

But that鈥檚 just the tip of the iceberg. Vendors may use third-party tools with security gaps, rely on weak passwords, or fail to meet title industry security standards. Lastly, in the event of a security incident, a vendor may not have a dedicated incident response plan, which could lead to a disruption for your business.

Simple, straightforward security steps can help

While these risks are no doubt significant, there are a lot of simple steps you can take to make your vendor relationship more secure. The most important one is also the most obvious. Only give your vendor access to the systems and data they need to meet the conditions of your service agreement.

Beyond access control, there are several other precautions to take. It is wise to lay out cybersecurity roles, responsibilities and expectations at the start of any vendor engagement. Clear expectations help vendors handle your data responsibly, respond to incidents, and uphold security policies.

You and your vendor should also be on the same page on how you will respond if a security breach unfortunately does occur. Planning ahead can minimize disruptions and long-term damage to your business. Of course, all this hinges on first developing a trusting dynamic with your vendor. If you don鈥檛 communicate openly and transparently, it becomes much more difficult to collaborate on security goals and grow together.

Lastly, it is always a good idea to conduct regular security check-ins with your vendors. This is a good way to remain aware of the systems and data your vendor has access to. These meetings can also be a time to quickly and efficiently communicate any changes in your cybersecurity strategy.

The role of vendor security agreements (VSAs)

One of the best ways to make sure you are taking the precautions outlined above is by putting together a comprehensive vendor service agreement (VSA) at the beginning of a new vendor engagement. VSAs are a critical tool for managing security risks in third-party relationships, including data protection protocols, compliance and responsibilities in the event of a breach. Other provisions that are often included in a VSA encompass access controls, encryption requirements and multi-factor authentication (MFA) policies.

Additionally, a good VSA should include your agency鈥檚 incident response framework. If you鈥檙e considering developing a framework, detail how quickly a vendor must notify you of a security event and clearly list what steps they must take to help fix the issue. This can be an especially important provision. Data shows that the timeline from when an average vendor discovers a security problem to when they notify their client is often quite long. But it can be reduced when there is a contractual obligation to notify.[i]

Lastly, businesses should also explicitly define in their VSA how they want to approach periodic security audits for their vendors. It is perhaps the most effective strategy for ensuring alignment with evolving cybersecurity standards.

Toward an ever more productive and profitable partnership

It is a rotten feeling when a vendor causes a security incident, and you must deliver an Anne Robinson-style dismissal. With a little extra work, however, you can secure these relationships and help prevent security incidents before they start. When your vendor partnerships are safe, an even more productive and profitable dynamic becomes possible.

[i] 

The post Vendor Security: The Weakest Link? appeared first on 星空传媒 星空传媒 Title Insurance Co..