Enter your e-mail address and password below.


Forgot your password? New User? Register Now.
   ARTICLE   |   From Scotsman Guide Residential Edition   |   October 2016

Cybersecurity Is Not Enough

Ineffective tech strategies put borrower data at risk

Cybersecurity Is Not Enough

In a saturated market like the mortgage industry, client retention is vital. You go to great lengths to ensure that your borrowers’ experiences with you are extraordinary and that they are satisfied with your services. In turn, they keep rewarding you with their trust, their positive word of mouth and their business.

Trust and positive word of mouth are fragile gifts, however, that a data breach can completely and irrevocably destroy, along with everything you have worked so hard to accomplish. Moreover, a data breach impacts not only you and your borrowers, but the whole mortgage industry. To mitigate risk, you look to technology. But technology only protects you from forces outside your company.

The Ponemon Institute estimates that the average U.S. business spends nearly $4 million to recover from a data breach, excluding the indirect costs of lost business and reputation damage. This figure provides raw context you can use to make a general business case for a cybersecurity strategy.

Warren Buffet said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” Paraphrasing Buffet’s words, it takes 20 years to build your business, and one data breach to ruin it. If you think about that, you will do things differently.

Data-breach impact

The Identity Theft Resource Center (ITRC) found that over 40 percent of all U.S. data breaches in 2015 involved Social Security numbers (SSN). Given that the theft of Personally Identifiable Information (PII) is a prime driver of cybercrime, a nonexistent, partial or badly implemented cybersecurity strategy not only exposes your borrowers to the risk of financial fraud, but also to the devastating consequences of identity theft.

Hackers seldom use the data they steal. Instead, they sell it to other devious characters. Type “buy SSN” into Google and examine some of the 600,000 or more results, which excludes dark-web entries. Besides finding your own SSN for sale — because nearly a billion U.S. data records have been breached since 2005, according to ITRC — you will see how easy it is to buy stolen SSNs for as little as 50 cents each.

When measured by the degree of sheer human misery caused, the impact of a data breach is far more devastating for your borrowers than it is for you. Unfortunately, the industry has been slow to proactively protect borrower PII data. According to ITRC, the incidence of identity theft in the U.S. banking/credit/financial sector increased 87 percent between 2014 and 2015, and the percentage of total breaches involving the sector almost doubled in that time. These kind of numbers draw the attention of the federal government, which increases regulation — specifically cybersecurity regulation — to help protect citizens. This increases the regulatory burden for mortgage professionals.

Partial solution

Your friendly information technology (IT) vendor will try to sell you all manner of software to protect you against cybersecurity risk. Some of you may have acquired some of these tools, believing that was all there was to cybersecurity. Regrettably, you’ve perhaps addressed only about one-third of the risk by doing so.

It turns out that most data breaches are probably caused by human error. Norman Shaw, founder and CEO of ExactTrak, recently wrote: “There is broad agreement within the industry that human error is the cause of most data breaches.” Shaw cites data from several sources to back up this statement: The IT Policy Compliance Group estimates that the portion of data loss attributable to human error is 75 percent, while the Aberdeen Group places this number at 64 percent. For actual security breaches, CompTIA estimates that in 52 percent of cases the root cause is human error.

Over 40 percent of all U.S. data breaches in 2015 involved Social Security numbers.

People as drivers of cybersecurity risk is so significant that the “2015 Global State of Information Security” report from consulting company PWC found that, “Employees are the most-cited culprits of incidents.” More recently, a KPMG article about the five most common cybersecurity mistakes reported that, “Effective cybersecurity is less dependent on technology than you think.”

Assigning total responsibility for managing cybersecurity risk to your IT vendor or department is therefore risky. Sure, the risks of malware, viruses and electronic hackers can be mitigated by technology, but more is needed to mitigate the effect of people, who are the dominant drivers of cybersecurity risk. These people-driven risks are the result of disgruntled employees, user error, poor due diligence by suppliers or service providers, loss or theft of equipment, sabotage, spam and phishing e-mails — factors for which technology alone isn’t always the right response. 

Risk-aware culture

Technology is more effective in the presence of supporting policies, processes, standards and guidelines, in addition to the support of training and ultimately a risk-aware business culture. Let’s consider some scenarios to illustrate this reality:

  • Hardware and software scenario. The mortgage industry shares information using devices like desktops, laptops, tablets, mobile phones and USB flash drives. Only some of these are password-secured, which makes losing them especially risky. Have you ever written your password on a sticky note and pasted it to your monitor for easy reference? Is your password the same one you entered five years ago? Is it as simple as “password”? What happens when another employee secures your application password because that person saw you typing it, found it on a sticky note or, worse, because you gave it to him or her? Today, while you were out to lunch, that employee downloaded your borrowers’ details and sold them to a syndicate for extra cash.
    Response: Mandatory passwords are important, especially if BYOD (bring your own device) is an element of your IT strategy, but so are password-refresh intervals and password-complexity rules. Information-privacy policies and cyberrisk awareness training are better tools for preventing passwords from being ex-posed to or shared with other employees in the first place.
  • Public-networks scenario. An originator goes to a coffee shop for lunch and connects to the local Wi-Fi to send some e-mails to borrowers. Unfortunately, a hacker sitting around the corner has set up a Wi-Fi hotspot that looks identical to the regular coffee-shop access point. Your originator connects to this fake access point and sends e-mails that include borrower PII and financial data. The hacker records this valuable data and phones a contact to discuss its sale.
    Response: Technology can disallow access to external networks, but this is seldom practical. Instead, training employees about identifying trusted access points and using secured instead of unsecured external networks, plus putting supporting policies in place with respect to the use of external networks, are some steps you should take to mitigate this risk.
  • Service-providers scenario. Your mortgage company has a business relationship with a trusted local attorney office. Your company has deployed firewalls and anti-malware software, put in place supporting policies and processes and trained all employees on how to mitigate cybersecurity risk. Your president even takes pride in telling borrowers that their data is safe. Unfortunately, your trusted attorney partners haven’t bothered with all this cybersecurity “mumbo jumbo.” Consequently, they were hacked. The breach included the theft of a large variety of sensitive borrower PII data your company shared with this trusted partner. Unfortunately, the risk then escalated because some of your company’s systems are networked with systems at the attorney’s office.
    Response: The U.S. National Institute of Standards and Technology (NIST) recommends steps to mitigate this risk, including specifying the cybersecurity standards that service providers like attorneys and cloud services must adhere to. Any gaps exposed during due diligence should be addressed before conducting business with these partners.

•  •  •

A data breach impacts your financial standing and the sustainability of your business, the financial and personal security of your borrowers, and the entire mortgage industry. It therefore protects us all to be proactive about cybersecurity, whether for selfish business interests, ethics or for the reputation of the entire industry. But technology alone is not a sufficient cyberrisk response, because people are the leading cause of data breaches. For example, the risk of a shared password cannot be mitigated by technology, and neither can the risk of poor due diligence from partners such as attorneys. 

Instead, your staff, along with the policies that drive their behavior and, ultimately, a risk-aware company culture must all be part of the first line of defense in a comprehensive cybersecurity strategy that effectively balances technology, processes, training and business culture. Effective cybersecurity strategies go beyond technology to the day-to-day running of your business. Any efforts you make toward comprehensively mitigating cybersecurity risks will give your borrowers yet another great reason to maintain their trust in you.


Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Scotsman Guide Digital Magazine

Related Articles



© 2019 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy