  
|
Posted By Robert Treuber,
Wednesday, November 12, 2025
|
What the Trump administration's 50-year mortgage plan could mean for homebuyers - CBS News On November 10th, CBS News broadcast the story about the 50-year mortgage proposal from FHFA Secretary Bill Pulte – see link below. https://www.cbsnews.com/news/trump-50-year-mortgage-loan-bill-pulte-cost/ Several Land Title Association Members had a conversation about this proposal via email. With their permission, it is reprinted below. NOTE – All statements are the sender's and do not reflect the opinion or the view of the sender's company or NYSLTA. BOB TREUBER, NYSLTA EXECUTIVE VP I'd like to see an email-debate between two people on opposite sides of the 50-year mortgage. Who benefits? Homeowners or Lenders? Is it good for Title? KEN WARNER, VP & Senior Counsel LandStar Title Agency How we look at a 50-year homebuyer mortgage may largely depend upon the amount of risk we think a homeowner should be allowed to take vs. how much protection we think they need. Some fear that if people can suddenly afford a bigger mortgage, then more people may compete for housing, thereby causing home prices to rise. Others fear that if homeowners don’t substantially pay down mortgage balances over time, they are more likely to go into a negative equity situation when home prices eventually dip. Homeowners with negative equity could find themselves unable to sell or refinance. Lots of negative equity could destabilize both the housing and mortgage markets. The reality is that most people who have a 30-year mortgage won’t keep it forever and won’t pay it down much in the early years. Even in a rising interest rate environment, most people will pay off their 30-year mortgage on sale or refinance within 7 to 10 years. A 30-year $100,000.00 mortgage at 7% paid for 7 years will have a balance of approximately $91,147.38 A 50-year $100,000.00 mortgage at 7% paid for 7 years will have a balance of approximately $98,017.71 Do we trust home buyers to use the increased purchasing power associated with a 50-year mortgage prudently? Most residential mortgages can be prepaid, in whole or in part, at any time without penalty so a homeowner with a 50-year mortgage is free to make extra principal payments at any time. We also need to consider whether the mortgage crisis of 2008 and our experience with negatively amortizing mortgage products taught us that homebuyers are not to be trusted with the assumption of increased risk. BILL COLLINS, DIRECTOR OF TITLE INSURANCE, FRONTIER ABSTRACT & RESEARCH Besides the likely increase in sales prices that Ken pointed out, a 50 year mortgage seems like it would have a significant “tail-end” problem. Assuming a 30 year old couple when purchasing a house, they would be around 60 when a 30 year mortgage is paid off, getting ready to retire and use their equity to fund their retirement. If they had a 50 year mortgage, they’d be looking at 20 more years to pay it off- and it’s VERY unlikely that they’d be working that long to do so. We’d be looking at a significant rise in mortgage delinquencies and foreclosures and an large increase in financial distress among elderly homeowners. The 50 year mortgage is really just a prescription to keep homeowners permanently in debt. MATT CAHILL, VP & CORPORATE UNDERWRITING COUNSEL, FIRST AMERICAN Dan Buchanan plugged it into ChatGPT to see what it had to say about a 50 year loan. Comparison summary | Term | Monthly Payment | Total Interest | Total Paid | | 30 years | $2,398 | $463,359 | $863,359 | | 50 years | $2,146 | $887,720 | $1,287,720 |
Bottom line Stretching the loan from 30 to 50 years lowers your monthly payment by about $250, but nearly doubles the total interest — roughly $424,000 more over the life of the loan. That’s a very expensive way to buy smaller monthly peace of mind — sort of like paying for Netflix for 20 extra years, but you only get reruns of Your Loan Statement. BILL COLLINS Lenders (and investors) would have to price that risk (that borrowers are VERY unlikely to be able to work long enough to pay off their debt) into their interest rate calculations, so the interest rate on a 50 year seems like it would be significantly higher than a 30 year. Possibly high enough that it would offset any monthly payment savings on the 50 year. KEN WARNER Matt, There is also a big difference in total interest paid between a 15-year mortgage and a 30-year mortgage. Where do you draw the regulatory line in protecting homebuyers? In “small commercial mortgage loan world”, interest only loans are typical. RICH ESTRELLA Esq., SENIOR VP & NYS AGENCY MANAGER,FIDELITY Very interesting discussion and thank you all for your well reasoned thoughts. After listening to the grown ups speak, I would think it makes no sense for someone to try and keep a 50 year old mortgage to maturity as Matt pointed out. Ken pointed out that after a 7 year repayment between a 30 year and 50 year mortgage the difference in principal balance was only a few thousand dollars so it appeared acceptable for someone to take a 50 year old mortgage and then refinance it. But I think taking a 30 year mortgage with a 7 year arm and refinancing it would be better option because your principal balance would be less. So I don’t see the benefit of a 50 year old mortgage JAMEDS SCATURRO, AVP BUSINESS ADVISIOR, NY AGENCY FIDELITY Bingo Bill ! The 50 year would easily be 60bps higher. If not a full point. You can't do the math with the same rate as a 30. Same as you can't do a 30 with a 15 year rate. PLEASE FEEL FREE TO POST YOUR COMMENTS.
This post has not been tagged.
Permalink
| Comments (2)
|
|
|
Posted By Robert Treuber,
Thursday, October 23, 2025
|
To: The executives and information
security personnel at all entities regulated by the New York State
Department of Financial Services (“DFS” or the “Department”) Re: Guidance on Managing Risks Related to Third-Party Service Providers Date: October 21, 2025 Covered Entities[1] have become more reliant on Third-Party Service Providers[2] (“TPSP” or “TPSPs”) for services that involve access to Information Systems[3] or Nonpublic Information[4]
(“NPI”). Although there are many potential benefits to engaging TPSPs,
Covered Entities must understand and address the risks posed by such
reliance. For example, reliance on TPSPs introduces the risk of
Cybersecurity Incidents[5]
at the TPSP, which can have a significant impact on Covered Entities’
operations and NPI. Appropriately managing these risks remains a
crucial element of a Covered Entity’s cybersecurity program. Covered
Entities’ exposure to threats will continue to grow as their reliance
on technologies managed by TPSPs—such as cloud computing, file transfer
systems, artificial intelligence (“AI”), and fintech
solutions—increases. The growing scale and complexity of cyber risks
posed by TPSPs demands a proactive, risk-based, and continuously
adaptive approach to third-party governance. Senior Governing Bodies[6] and Senior Officers[7] must engage actively in cybersecurity risk management, including the oversight of TPSP-related risks.[8]
Unless a Covered Entity qualifies for an applicable exemption, Senior
Governing Bodies must have a sufficient understanding of
cybersecurity-related matters to exercise appropriate oversight, which
includes the ability to provide a credible challenge to management’s
cybersecurity-related decisions to ensure that those decisions align
with the entity’s overall risk posture and resiliency objectives.[9]
The Cybersecurity Regulation (“Part 500”) also requires a Senior
Officer or the Senior Governing Body to review and approve the Covered
Entity’s cybersecurity policies and procedures at least annually.[10] The
Department reviews Covered Entities’ information security policies and
procedures, including those addressing TPSP risk, during examinations
and investigations. In these reviews, DFS has identified areas where
Covered Entities should strengthen their TPSP programs, including how
they monitor, assess, and manage TPSP cybersecurity risk. Specifically,
DFS has identified the need for more robust due diligence, contractual
provisions, monitoring and oversight, and TPSP risk management policies
and procedures. Moreover, DFS has observed a trend in which some
Covered Entities outsource critical cybersecurity compliance obligations
to TPSPs without ensuring appropriate oversight and verification by
Senior Governing Bodies or Senior Officers. As noted in previous
guidance, Covered Entities may not delegate responsibility for
compliance with the Cybersecurity Regulation to an affiliate or a TPSP.[11]
DFS has and will continue to consider the absence of appropriate TPSP
risk management practices by Covered Entities in its examinations,
investigations, and enforcement actions.[12] The
Department is issuing this guidance on managing risks related to
Third-Party Service Providers (“Guidance”) to assist Covered Entities of
all sizes[13]
in addressing risks associated with the use of TPSPs. The Guidance
does not impose new requirements or obligations on Covered Entities;
rather, it is intended to clarify regulatory requirements, recommend
industry best practices to mitigate common risks associated with TPSPs,
and promote compliance with relevant sections of Part 500, including
Section 500.11.[14]
In addition to clarifying regulatory requirements, the Guidance
describes steps Covered Entities should consider taking to assess and
address cybersecurity risks throughout the lifecycle of a TPSP
relationship, beginning with the due diligence and selection processes,
continuing through contracting, ongoing oversight and management of the
relationship, and ending with the termination of the TPSP relationship. Identification, Due Diligence, and SelectionWhen
selecting a TPSP, Covered Entities must assess the cybersecurity risks
the TPSP poses to the Covered Entity’s Information Systems and NPI.
Policies and procedures should outline how these risks are evaluated,
including minimum cybersecurity standards required for engagement, and
procedures for assessing the TPSP’s cybersecurity practices and controls
based on the unique risks presented by the TPSP.[15] Covered
Entities should classify TPSPs based on the latter’s risk profile,
considering factors such as system access, data sensitivity, location,
and how critical the service provided to the Covered Entity is to its
operations. For example, a TPSP with privileged access[16]
to a Covered Entity’s Information Systems and significant amounts of
NPI presents a greater risk than a TPSP that provides services operating
outside of the Covered Entity’s Information Systems. Providers of
critical services that often have a high degree of system-level access
and the ability to access sensitive NPI include companies that provide
IT managed services, outsourced help desk services, and insurance claims
management services. Additionally, Covered Entities should
develop a tailored, risk-based plan to mitigate risks posed by each
TPSP. The following is a non-exhaustive list of considerations that
Covered Entities should assess when performing due diligence on TPSPs: - The type and extent of access to Information Systems and NPI.
- The TPSP’s reputation within the industry, including its cybersecurity history and financial stability.
- Whether
the TPSP has developed and implemented a strong cybersecurity program
that addresses, at a minimum, the cybersecurity practices and controls
required by the Covered Entity and Part 500.
- The access controls
implemented by the TPSP for its own systems and data, as well as to
access the Covered Entity’s Information Systems, and the proposed
handling and storage of Covered Entity data, including whether
appropriate controls, such as data segmentation and encryption, are
applied based on the sensitivity of the data.[17]
- The criticality of the service(s) provided and the availability of alternative TPSPs.
- Whether
the TPSP uses unique, traceable accounts for personnel accessing the
Covered Entity’s systems and data and whether it maintains audit trails
meeting the requirements of Section 500.6.
- Whether the TPSP, its
affiliates, or vendors are located in, or operate from, a country or
territory jurisdictions that is considered high-risk based on
geopolitical, legal, socio-economic, operational, or other regulatory
risks.
- Whether the TPSP maintains and regularly tests its incident response and business continuity plans.[18]
- The TPSP’s practices for selecting, monitoring, and contracting with downstream service providers (“fourth parties”).
- Whether the TPSP undergoes external audits or independent assessments (e.g.,
ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in
writing, compliance with Part 500 or industry frameworks such as the
National Institute of Standards and Technology’s (“NIST”) Cybersecurity
Framework.[19]
Covered
Entities should also consider how best to obtain, review, and validate
information provided by prospective TPSPs. For example, a standardized
questionnaire may assist in gathering responses, but qualified personnel
will need to interpret the responses to make risk-informed decisions,
ask follow-up questions as necessary, and determine appropriate
mitigation strategies. In some instances, Covered Entities may
face constraints when selecting, contracting with, or transitioning away
from a TPSP due to limited vendor options, industry concentration, or
legacy system dependencies. In such cases, organizations should make
risk-informed decisions, document the relevant risks, take steps to
implement compensating controls (e.g., monitoring,
segmentation, contract triggers), and conduct regular assessments of the
TPSP to evaluate whether viable alternative TPSPs have emerged over
time. ContractingThe Cybersecurity Regulation requires
Covered Entities that utilize TPSPs to develop and implement written
policies and procedures that address due diligence and contractual
protections.[20]
These policies must be risked-based and tailored to the services and
sensitivity of the data and Information Systems that will be accessed by
the TPSP. Below are a few examples of baseline contract provisions
Covered Entities should consider incorporating into their agreements[21] with TPSPs: - Access
Controls – Requirements for TPSPs to develop and implement policies and
procedures addressing access controls, including multi-factor
authentication, that comply with requirements in Sections 500.7 and
500.12.[22]
- Data
Encryption – Obligations to develop and implement policies and
procedures addressing encryption in transit and at rest as required by
Section 500.15.[23]
Although Covered Entities qualifying for exemptions under Section
500.19 are not required to comply with this obligation, given the
sensitivity of NPI, such Covered Entities should consider requiring
TPSPs encrypt sensitive data, including NPI, in transit and at rest.
- Cybersecurity
Event Notification – Provisions related to the immediate or timely
notice to the Covered Entity upon the occurrence of a Cybersecurity
Event directly impacting the Covered Entity’s Information Systems or NPI
being held by the TPSP.[24]
- Compliance
Representations – Obligations for the TPSP to provide representations
and warranties regarding compliance with applicable laws and
regulations, including applicable requirements of Part 500.[25]
- Data
Location and Transfer Restrictions – Requirements for the TPSP to
disclose where data may be stored, processed, or accessed; obtain prior
written approval for cross-border transfers (or full prohibitions of
this practice); and comply with applicable data residency or
localization laws. Although this contractual provision is not
explicitly required by the Cybersecurity Regulation, the Department
recommends incorporating this provision in contracts because Covered
Entities can more effectively analyze the risk to sensitive data,
including NPI, when they understand where data is stored and processed.
- Subcontractors
– Requirements for the TPSP to disclose the use of subcontractors that
may have access to or use the Covered Entity’s Information Systems or
NPI, as well as the ability of the Covered Entity to reject the use of
certain subcontractors for work on its Information Systems or NPI after
conducting appropriate due diligence. Although this practice is not
required by the Cybersecurity Regulation, the Department recommends
adoption of this practice so Covered Entities are better able to analyze
the risk to sensitive data, including NPI.
- Data Use and Exit Obligations – Restrictions related to the use and sharing of data, obligations to delete[26]
or migrate data held by the TPSP upon termination of the relationship,
and obligations to obtain appropriate certifications confirming the
completion of these steps.
Where relevant, Covered Entities
should consider including a clause related to the acceptable use of
Artificial Intelligence (“AI”), and whether the Covered Entity’s data
may be used to train AI models or be otherwise disclosed to additional
parties. In addition, the TPSP agreement should include remedies in the
event the Covered Entity reasonably determines that the TPSP has
breached any material terms of the agreement related to cybersecurity.
These remedies may include requiring timely remediation or permitting
early termination of the service agreement. This is not an
exhaustive list of contractual provisions that Covered Entities should
consider, nor is this list of terms viable or appropriate in all
situations.[27]
Covered Entities should carefully evaluate terms based on the nature of
the engagement, market conditions, and the sensitivity of data, among
other factors. Ongoing Monitoring and OversightAs
described above, each Covered Entity’s TPSP policy or policies must
address, to the extent applicable, the periodic assessment of TPSPs
based upon the risk each presents.[28]
The TPSP risk management procedures should include layered,
risk-informed oversight processes and controls designed to confirm that
TPSP cybersecurity programs are aligned with the Covered Entity’s
cybersecurity expectations.[29]
Accordingly, Covered Entities should develop and implement policies and
procedures for the ongoing monitoring and oversight of TPSPs. The
policies should be informed by a variety of factors, including the
evolving threat and regulatory landscape, changes to products and
services, and whether the TPSP has experienced a Cybersecurity Event.
While many of the initial due diligence considerations remain relevant
throughout the relationship, once active, Covered Entities must conduct
periodic assessments based on the risk(s) a TPSP presents and the
continued adequacy of their cybersecurity practices.[30] These assessments may consider, among other things, security attestations (e.g.,
SOC2, ISO 27001), penetration testing summaries, policy updates,
evidence of security awareness training, and compliance audits. Moreover,
where relevant, Covered Entities should request updates on
vulnerability management, assess patching practices, and confirm
remediation of previously identified deficiencies. Material or
unresolved risk should be documented in the Covered Entity’s risk
assessment and escalated through appropriate internal risk governance
channels. As part of a broader resiliency strategy, Covered Entities
should incorporate third-party risk into their incident response and
business continuity planning.[31]
For example, Covered Entities should assess how they would rapidly
transition to alternate systems or providers in the event of a
disruption and consider testing relevant portions of their business
continuity and incident response plans with their TPSPs. TerminationWhen
preparing for the end of a TPSP relationship, Covered Entities must
disable the TPSP’s access to the Covered Entity’s Information Systems.[32]
This includes revoking system access for TPSP personnel and
subcontractors and deactivating service accounts. For TPSPs providing
cloud-based services, organizations should revoke identity federation
tools (e.g., SSO, OAuth tokens), API integrations, and external
storage access. Covered Entities generally should require
certification of destruction of NPI, secure return of data to the
Covered Entity, or migration of data to another TPSP or internal
environment. As part of this process, Covered Entities should confirm
that any remaining snapshots, backups, or cached datasets are deleted
from TPSP systems and TPSP access to any shared resources is revoked. Additionally,
Covered Entities should give special attention to residual or
unmonitored access points that may fall outside routine access
provisioning systems. Access points that become redundant or
unnecessary during the course of the TPSP relationship should be
addressed or eliminated on an ongoing basis, rather than being left in
place until the end of the relationship. Procedures should align with
the Covered Entity’s cybersecurity program and comply with Section
500.7. To ensure a secure and orderly termination, Covered
Entities should develop a transition plan for critical services with
clearly defined timelines, roles and responsibilities. Management
should engage key stakeholders, including IT, legal, compliance,
procurement, and business units, to identify strategies to mitigate
potential risks. Prior to termination, Covered Entities should review
the agreement with the TPSP to identify offboarding obligations and
protections. In addition, Covered Entities should verify and retain any
data subject to legal, regulatory, or litigation hold requirements
before initiating data return or destruction processes. After
termination is completed, a final risk review should be conducted to
confirm that all obligations have been fulfilled, and that access and
data controls have been properly enforced. The offboarding process
should be documented and relevant audit logs retained to support
accountability and future verification. Finally, any lessons learned
should be incorporated into future third-party risk assessments and
contracting practices to refine and improve TPSP lifecycle management. ConclusionCovered
Entities must evaluate and mitigate cybersecurity risks relevant to
their own business. To that end, this Guidance highlights risks
associated with TPSPs as well as strategies to manage these risks as
part of an effective cybersecurity program. As third-party service
offerings expand and evolve, so too will TPSP-related cybersecurity
risks. Managing these risks appropriately requires performing, at
regular intervals, careful analysis of the sufficiency of
administrative, technical, and physical controls to manage third-party
risk, as required by Part 500.
[1]
A Covered Entity is defined in § 500.1(e) as “any person operating
under or required to operate under a license, registration, charter,
certificate, permit, accreditation or similar authorization under the
Banking Law, the Insurance Law or the Financial Services Law, regardless
of whether the covered entity is also regulated by other government
agencies.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(e) (2025).
References to Sections hereinafter refer to those in the Cybersecurity
Regulation. Capitalized terms used hereinafter are defined in the
Cybersecurity Regulation. [2]
Third-Party Service Provider is defined in § 500.1(s) as “a person
that: (1) is not an affiliate of the covered entity; (2) is not a
governmental entity; (3) provides services to the covered entity; and
(4) maintains, processes or otherwise is permitted access to nonpublic
information through its provision of services to the covered entity.” [3]
An Information System is defined in § 500.1(i) as “a discrete set of
electronic information resources organized for the collection,
processing, maintenance, use, sharing, dissemination or disposition of
electronic information, as well as any specialized system such as
industrial/process controls systems, telephone switching and private
branch exchange systems, and environmental control systems.” [4]
Nonpublic Information is defined in § 500.1(k) as ”all electronic
information that is not publicly available information and is: (1)
business related information of a covered entity the tampering with
which, or unauthorized disclosure, access or use of which, would cause a
material adverse impact to the business, operations or security of the
covered entity; (2) any information concerning an individual which
because of name, number, personal mark, or other identifier can be used
to identify such individual, in combination with any one or more of the
following data elements: (i) social security number; (ii) drivers’
license number or non-driver identification card number; (iii) account
number, credit or debit card number; (iv) any security code, access code
or password that would permit access to an individual’s financial
account; or (v) biometric records; (3) any information or data, except
age or gender, in any form or medium created by or derived from a health
care provider or an individual and that relates to: (i) the past,
present or future physical, mental or behavioral health or condition of
any individual or a member of the individual's family; (ii) the
provision of health care to any individual; or (iii) payment for the
provision of health care to any individual.” [5]
A Cybersecurity Incident is defined in § 500.1(g) as “a cybersecurity
event that has occurred at the covered entity, its affiliates, or a
third-party service provider that: (1) impacts the covered entity and
requires the covered entity to notify any government body,
self-regulatory agency or any other supervisory body; (2) has a
reasonable likelihood of materially harming any material part of the
normal operation(s) of the covered entity; or (3) results in the
deployment of ransomware within a material part of the covered entity’s
information systems.” A Cybersecurity Event is defined in § 500.1(f) as
“any act or attempt, successful or unsuccessful, to gain unauthorized
access to, disrupt or misuse an information system or information stored
on such information system.” [6]
A Senior Governing Body is defined in § 500.1(q) as “the board of
directors (or an appropriate committee thereof) or equivalent governing
body or, if neither of those exist, the senior officer or officers of a
covered entity responsible for the covered entity’s cybersecurity
program. For any cybersecurity program or part of a cybersecurity
program adopted from an affiliate under section 500.2(d) of this Part,
the senior governing body may be that of the affiliate.” [7]
A Senior Officer(s) is defined in § 500.1(r) as “the senior individual
or individuals (acting collectively or as a committee) responsible for
the management, operations, security, information systems, compliance
and/or risk of a covered entity, including a branch or agency of a
foreign banking organization subject to this Part.” [8]
Tit. 23, § 500.4(d). While Covered Entities that qualify for
exemptions under § 500.19 do not need to comply with the requirements of
§ 500.4, Covered Entities must still maintain a written cybersecurity
policy or policies that are approved at least annually by a Senior
Officer(s) or the Senior Governing Body who oversee its implementation.
Tit. 23, § 500.3. [9] See, e.g., Federal Financial Institutions Examination Council Information Technology Examination Handbook, Management Booklet, at I.A.1 Board of Directors Oversight, n.3,
https://ithandbook.ffiec.gov/it-booklets/management/i-governance/ia-it-governance/ia1-board-of-directors-oversight/
which states that “[a] credible challenge involves being actively
engaged, asking thoughtful questions, and exercising independent
judgment.” [11] See
N.Y. State Dep’t of Fin. Servs., Industry Letter on Adoption of an
Affiliate’s Cybersecurity Program (Oct. 22, 2021), available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211022_affiliates_cybersecurity_program;
see also, Bd. of Governors of the Fed. Rsrv. Sys., Fed. Deposit Ins.
Corp., Off. of the Comptroller of the Currency, Interagency Guidance on
Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920 (June 9,
2023); see also id. tit. 23, § 500.4(a)(1). [13] Note
that the Cybersecurity Regulation imposes different requirements on
organizations based on their size and resources. See id. § 500.1(d)
(describing the qualifying conditions for Class A Companies) and §
500.19(a) (describing the qualifying factors for Covered Entities that
are granted limited exemptions based upon the number of Covered Entity
personnel, revenue, and assets). [14] For
larger Covered Entities, including Class A Companies, a risk-based
approach and solutions may require different steps based upon the unique
circumstances, technologies, and other factors relevant to the entity. [15] Tit. 23, § 500.11(a). [16]
Privileged access refers to the access an Information System user has
where the user “is authorized (and therefore, trusted) to perform
security-relevant functions that ordinary users are not authorized to
perform.” See, definition of a “privileged user,” National Institute of
Standards and Technology, SP 800-53r5, Appendix A: Glossary, Security
and Privacy Controls for Information Systems and Organizations (Sep.
2020, updated Dec. 10, 2020), available at https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final. [17] Tit. 23, §§ 500.11(b)(1)-(2). [18] Tit. 23, § 500.16(d). [20] Tit. 23, § 500.11(b). [21]
The type of agreement, provisions, and exhibits will vary depending on
the nature of the services provided and type and breadth of data the
TPSP will access. For example, when using cloud-based service providers
such as Software-as-a-Service and Infrastructure-as-a-Service, among
others, Covered Entities may want to append a service-level agreement,
which typically defines service quality expectations, system
availability of the product or service for use (commonly referred to as
“up-time”), and response and recovery times. Alternatively,
organizations providing professional services (e.g., developer,
consultant, auditor) generally append Statements of Work to address
project-specific obligations, such as deliverables, timelines, and
scope. Both documents serve as contractual supplements that clarify
roles and expectations under a broader agreement. DFS understands that
these types of service-level agreements are often drafted by the TPSP,
and that Covered Entities may not always have sufficient leverage to
negotiate many of the terms. [22] Tit. 23, § 500.11(b)(1). [23] Tit. 23, § 500.11(b)(2). [24]
Section500.11 requires a Covered Entity’s policies and procedures to
include relevant guidelines covering, among other things, contractual
provisions addressing a TPSP’s obligation to provide notice of
Cybersecurity Events. A Covered Entity’s policies and procedures must
include guidelines and/or contractual protections that address the
notice to be provided in the event of a Cybersecurity Event directly
impacting the Covered Entity’s Information Systems or the Covered
Entity’s NPI being held by the TPSP. See supra note 5 (observing that
Cybersecurity Events include more than Cybersecurity Incidents). [25] Tit. 23, § 500.11(b)(4). [26]
See, e.g., tit. 23, § 500.13(b) (requiring each Covered Entity to have
policies and procedures for the secure disposal on a periodic basis of
certain NPI no longer necessary for business operations or other
legitimate business purposes). [27]
In this circumstance, Covered Entities should still seek to secure
reasonable protections, such as breach notification clauses, data use,
and assurances regarding access controls and data handling.
Additionally, they should consider limiting the volume and sensitivity
of data shared, using tokenization to replace sensitive data elements
and applying pseudonymization techniques to obscure individual
identities, where appropriate. Independent third-party assessments or
certifications (e.g., SOC 2, ISO 27001) should also be reviewed and
required where feasible. In parallel, organizations should develop
medium- to long-term strategi es
to reduce dependency, such as enabling data portability, modularizing
services, or evaluating alternative providers. Moreover, high-risk TPSP
relationships should be appropriately escalated through risk governance
frameworks and reflected in the Covered Entity’s risk assessments and
board-level reporting. [28] See tit. 23, § 500.11(a)(4). [29]
See, e.g., FINRA, Regulatory Notice 21–29, FINRA Reminds Firms of Their
Supervisory Obligations Related to Outsourcing to Third-Party
Vendors (Aug. 13, 2021), available at https://www.finra.org/rules-guidance/notices/21-29
(Guidance noting that member firms should consider, among other things,
vendor self-assessments, including certified reporting, as well as
conducting onsite visits) and NIST SP 800-161r1-upd1, Cybersecurity
Supply Chain Risk Management Practices for Systems and Organizations
(May 5, 2022, rev. Nov. 1, 2024), available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf
(Publication recommending that organizations audit Information and
Communication Technology “supply chain-relevant events within their
information system boundaries” using mechanisms such as system logs,
intrusion detection system logs, firewall reports, and other evidence
trails. [30] Tit. 23, § 500.11(a)(4). [31] See, e.g., tit. 23, § 500.16. [32] Tit. 23, § 500.7(a)(4).
Tags:
cybersecurity
DFS
Industry Letter
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, October 20, 2025
|
These bills have impact on the Town of Chester, Co-ops, electronic records, corporate fines and tax exemptions in Nassau County. A3028 | Dilan CO: O'Pharrow
Allows domestic insurers to make certain records available by electronic means
Same as S 4674-A JACKSON
SUMM :Amd S325, Ins L Allows domestic insurers to make certain records available by electronic means if they are easily accessible from the insurer's principal office in this state and the insurer complies with all applicable state and federal laws and regulations.
Eff. Date 10/16/2025 |
A8651A | Simone CO: Rosenthal
Relates to the tax exemption of a mutual redevelopment company
Same as S 7780-B HOYLMAN-SIGAL
SUMM :Amd S125, Priv Hous Fin L Relates to the extension of a tax exemption for a mutual redevelopment company in a city having a population of one million or more persons.
Eff. Date 10/14/2025 |
S277A | SKOUFIS
Relates to community preservation funds for the town of Chester
Same as A 2022-A Maher
SUMM :Add S64-l, Town L; add Art 31-A-4 SS1439-aaa - 1439-ppp, Tax L Authorizes the town of Chester to establish community preservation funds; establishes a real estate transfer tax with revenues therefrom to be deposited in said community preservation fund.
Eff. Date 10/16/2025 |
S2551 | MYRIE CO: HOYLMAN-SIGAL, WEBB
Increases the fines imposed on a corporation for an offense defined within the penal law
Same as A 3858 Rozic
SUMM :Amd S80.10, Pen L Increases the fines imposed on a corporation for an offense defined within the penal law.
Criminal Sanction Impact. |
S6818 | BYNOE
Authorizes the county of Nassau assessor to accept an application for a real property tax exemption from The Cathedral of the Incarnation in the Diocese of Long Island
Same as A 2595 Ra
SUMM :Authorizes the county of Nassau assessor to accept an application for a real property tax exemption from The Cathedral of the Incarnation in the Diocese of Long Island.
Eff. Date 10/16/2025 |
S6819A | BYNOE
Authorizes the county of Nassau assessor to accept an application for a real property tax exemption from Chabad of West Hempstead
Same as A 6614-A Ra
SUMM :Authorizes the county of Nassau assessor to accept an application for a real property tax exemption from Chabad of West Hempstead for a portion of the 2022-2023 school taxes, a portion of the 2023 general taxes; all of the 2023-2024 school taxes and all of the 2024 general taxes; and all of the restored 2024-2025 school taxes and all of the restored 2025 general taxes.
Eff. Date 10/16/2025 |
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Friday, October 17, 2025
|
The following bills were signed and chaptered. A3470
Lavine CO: Seawright
Relates to notice to be provided prior to a foreclosure action by a homeowners' association
Same as S 7413 KAVANAGH
Requires notice to be provided ninety days prior to commencement of a foreclosure action by a homeowners' association or condominium board to enforce a lien for unpaid common charges, assessments, fines or fees.
Eff. Date 10/16/2025 A6770
Griffin
Relates to the applicability of the residential redevelopment inhibited property exemption
Same as S 7285 RYAN S
Relates to expanding the applicability of the residential redevelopment inhibited property exemption to all cities, town, or villages in the state.
Eff. Date 11/15/2025 A6869
Alvarez
Prohibits discriminatory practices by real estate appraisers and furthers fair housing compliance
Same as S 7320 KAVANAGH
Prohibits discriminatory practices by real estate appraisers; furthers fair housing compliance.
Eff. Date 10/16/2025
Tags:
Chaptered bills
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, October 15, 2025
|
Governor Hochul has signed A8651-a/S7780-b. TITLE OF BILL:
An act to amend the private housing finance law, in relation to the
amount of taxes paid by a cooperative
PURPOSE OF BILL:
This bill would authorize Article V mutual redevelopment companies in
cities with a population of over one million people to pay no more than
five percent tax on their shelter rent
SUMMARY OF PROVISIONS:
Section 1 of the bill amends section 125 of the private housing finance
law to ensure that.the shelter tax minimum rate for article five co-ops
is no greater than five percent
Section 2 is the effective date
JUSTIFICATION:
This bill would provide relief to Penn South, the only remaining Article
V co-op property. Penn South faces rising operational costs, which
threaten to impact building quality and financial health. There is an
acute shortage of affordable housing and this legislation would ensure
the viability of what already exists.
Additionally, this bill would ensure that Penn South receives equal tax
treatment compared to Article II Mitchell Lama developments. These
properties were previously treated similarly and this bill would restore
that equal treatment.
Tags:
Chaptered bills
Permalink
| Comments (0)
|
|
|
Posted By Technology Committee,
Monday, October 6, 2025
|
Dear Colleagues, On October 14, 2025, Microsoft will officially end all support for Windows 10. After this date, Windows 10 machines will no longer receive security updates or patches, leaving them dangerously exposed to hackers and other cyber threats. This change is not optional and it will impact many of us directly. While some computers can be upgraded to Windows 11, a large number of office machines will not meet the requirements. That means many devices will need to be replaced entirely to remain secure and compliant. Continuing to operate on unsupported systems is a serious risk, both to your own data and to your clients’ information. The title industry is a prime target for cyberattacks, and leaving Windows 10 machines in service after October 14 invites unnecessary vulnerability. Please take time now to: - Identify all computers in your office still running Windows 10.
- Confirm whether they can be upgraded to Windows 11.
- Make replacement plans immediately for any systems that cannot.
This is a significant change with a firm deadline. Acting today will help ensure your business operations remain secure and uninterrupted. Thank you for your attention to this urgent matter. Best regards, Andrew Zankel, NTP - Technology Committee Chair Dan Celikoyar – Technology Committee Vice-Chair
Tags:
cybersecurity
Technology Committee
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, September 9, 2025
|
Julie Sweet,
CEO of consulting giant Accenture, has a rare line of sight into the AI
ambitions and worries of the world's biggest companies. https://www.axios.com/2025/09/09/behind-the-curtain-slow-hard-ai?stream=top "...companies need more than
AI-proficient staff. They need leaders, often different from the ones
existing today, who can figure out how to pull AI levers across the
company to truly move the needle meaningfully...."
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, August 25, 2025
|
A5364 | Carroll P
Limiting the shift between classes of taxable property in the town of Haverstraw, county of Rockland
Same as S 5233 WEBER
SUMM :Amd S1903, RPT L Relates to limiting the shift between classes of taxable property in the town of Haverstraw, county of Rockland for 2025-2026. |
Tags:
Chaptered bills
Rockland County
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, August 11, 2025
|
Bill No.
A5380 Bronson
Extends the authorization for the county of Monroe to impose certain sales and compensating use taxes
Same as S 6669 COONEY
SUMM : Amd S1210, Tax L Extends the authorization for the county of Monroe to impose certain sales and compensating use taxes to November 30, 2027.
Eff. Date 08/07/2025
A6531 Miller
Extends authorization of the county of Herkimer to impose a county recording tax on obligation secured by a mortgage on real property
Same as S 5607 WALCZYK
SUMM : Amd S2, Chap 549 of 2005 Extends authorization of the county of Herkimer to impose a county recording tax on obligation secured by a mortgage on real property to 12/01/2027.
Eff. Date 08/07/2025
A8210 Kelles CO: Gallahan
Extends provisions of law authorizing the county of Cortland to impose an additional mortgage recording tax
Same as S 7912 WEBB
SUMM : Amd S2, Chap 443 of 2007 Extends provisions of law authorizing the county of Cortland to impose an additional mortgage recording tax until December 1, 2027.
Eff. Date 08/07/2025
S21 STEC
Relates to expenditures for Warren county community colleges; extends the effectiveness of provisions relating to an additional Warren county mortgage recording tax
Same as A 3980 Simpson
SUMM : Amd S261, Tax L; amd S2, Chap 368 of 2008 Relates to Warren county no longer providing community colleges funding with excess funds from the collection of mortgage recording taxes as such money is allocated to the CDTA; extends the effectiveness of provisions relating to an additional Warren county mortgage recording tax to December 1, 2027.
Eff. Date 08/07/2025
S1078A HELMING
Extends provisions of law authorizing the county of Livingston to impose an additional mortgage recording tax
Same as A 2728-A Bailey
SUMM : Amd S2, Chap 373 of 2019 Extends provisions of law authorizing the county of Livingston to impose an additional mortgage recording tax until December 1, 2027.
Eff. Date 08/07/2025
S2111 OBERACKER
Relates to the authority for the impose an additional mortgage recording tax in Otsego county
Same as A 5479 Tague
SUMM : Amd S2, Chap 374 of 2024 Extends the authority for the county of Otsego to impose an additional mortgage recording tax.
Eff. Date 08/07/2025
S3495 O'MARA
Extends provisions relating to the mortgage tax in the county of Steuben
Same as A 6659 Palmesano
SUMM : Amd S3, Chap 365 of 2005 Extends provisions relating to the mortgage tax in the county of Steuben until December 1, 2027.
Eff. Date 08/07/2025
S3497 O'MARA
Extends provisions relating to the mortgage tax in the county of Yates
Same as A 4069 Palmesano
SUMM : Amd S2, Chap 366 of 2005 Extends provisions relating to the mortgage tax in the county of Yates until December 1, 2027.
Eff. Date 08/07/2025
S3626 OBERACKER
Extends the authorization for the county of Schoharie to impose a county recording tax on obligation secured by a mortgage on real property
Same as A 4135 Tague
SUMM : Amd S2, Chap 333 of 2006 Extends the authorization for the county of Schoharie to impose a county recording tax on obligation secured by a mortgage on real property.
Eff. Date 08/07/2025
S4543 OBERACKER
Extends the mortgage recording tax for Chenango county and relates to the depositing of mortgage recording tax funds into the general fund of the county of Chenango
Same as A 5351 Angelino
SUMM : Amd S2, Chap 376 of 2024; amd S261, Tax L Extends the mortgage recording tax for Chenango county; relates to the depositing of mortgage recording tax funds into the general fund of the county of Chenango.
Eff. Date 08/07/2025
S6212 HINCHEY
Extends the authorization of the county of Greene to impose an additional mortgage recording tax
Same as A 5007 Tague
SUMM : Amd S2, Chap 218 of 2009 Extends the authorization of the county of Greene to impose an additional mortgage recording tax.
Eff. Date 08/07/2025
S6216 WALCZYK
Extends provisions allowing the county of Fulton to impose a mortgage recording tax
Same as A 7443 Smullen
SUMM : Amd S2, Chap 489 of 2004 Extends provisions allowing the county of Fulton to impose a county recording tax on obligation secured by a mortgage on real property to November 30, 2027.
Eff. Date 08/07/2025
S6740 BORRELLO
Extends the authorization of the county of Cattaraugus to impose an additional mortgage recording tax
Same as A 7420 Sempolinski
SUMM : Amd S2, Chap 98 of 2009 Extends the authorization of the county of Cattaraugus to impose an additional mortgage recording tax until December 1, 2027.
Eff. Date 08/07/2025
S7080 HINCHEY
Extends the authority of the county of Columbia to impose an additional real estate transfer tax
Same as A 7665 Bendett
SUMM : Amd S2, Chap 556 of 2007 Extends the authority of the county of Columbia to impose an additional real estate transfer tax by two years.
Eff. Date 08/07/2025
S7128 WALCZYK
Extends certain provisions authorizing the county of Hamilton to impose a county recording tax on obligations secured by mortgages on real property
Same as A 7713 Smullen
SUMM : Amd S2, Chap 326 of 2006 Extends certain provisions authorizing the county of Hamilton to impose a county recording tax on obligations secured by mortgages on real property to December 1, 2027.
Eff. Date 08/07/2025
S7525A FAHY
Extends the authorization to impose a county recording tax on obligations secured by a mortgage on real property in Albany County
Same as A 8114-A Steck
SUMM : Amd S2, Chap 405 of 2005 Extends the authorization to impose a county recording tax on obligations secured by a mortgage on real property in Albany County.
Eff. Date 08/07/2025
S8180 SEPULVEDA
Extends authorization for the city of New York to sell certain property owned by such city
Same as A 8426 Cook
SUMM : Amd S2, Chap 548 of 2010 Extends the authorization for the city of New York to sell to abutting property owners real property owned by such city, consisting of tax lots that cannot be independently developed due to the size, shape, configuration and topography of such lots and the zoning regulations applicable thereto.
Eff. Date 08/07/2025
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, August 5, 2025
|
A bill was signed and chaptered to amend chapter 218 of the laws of 2009 amending the tax law relating to authorizing the county of Greene to impose an additional mortgage recording tax, in relation to extending the effectiveness thereof.
This post has not been tagged.
Permalink
| Comments (0)
|
|
Print Page
Blog Home
All Blogs
RSS