Commercial Magazine

Build a Stronger Wall

Cybercriminals are exploiting the pandemic to attack mortgage companies

By Al Alper

As we move into a new business environment created by the COVID-19 outbreak, more people are working remotely. In one respect, the commercial mortgage industry is unique. Unlike other employment sectors where the information that is used and stored is limited to a few participants, more than a dozen parties access and share information on the typical mortgage transaction.

Commercial mortgage brokers and lenders — as well as their third-party providers — also gather, input and store a massive amount of personal and financial information for each transaction. This makes the industry as a whole a particularly inviting target for cunning cybercriminals, fraudsters and identity thieves. 

Simply put, the industry is more susceptible to business interruption from hacking and the theft of information. Many mortgage companies, however, continue to struggle with how best to reduce their overall cybersecurity risk, avoid additional regulatory scrutiny and steer clear of fines by taking reasonable care to avoid a breach. 

Let’s not forget the potential consequences of ignoring the threat. In a growing number of states, financial-services companies face potentially stiff fines for failing to protect their data. The New York Department of Financial Services’ cybersecurity regulation (NYCRR 500), the California Consumer Privacy Act and the European Union’s General Data Protection Regulation have pushed overall cybersecurity standards to a new level for financial-services companies. 

More states — and maybe the federal government as well — will eventually follow these models. Mortgage companies also must be concerned about the potentially deep damage to their reputations should a significant breach occur. For many organizations, it comes down to a “pay now or pay later” decision as it relates to cybersecurity and compliance.

Many-sided threat

Hackers fit many different profiles. They can be foreign-based or your next-door neighbor. They can be a sophisticated, organized criminal enterprise or merely a computer-savvy individual working alone who enjoys the challenge of breaking into a company and causing chaos.

Hackers of all stripes look for weaknesses in a company’s security, probing for ways to break through the wall to scoop up sensitive data and documents. The way into this vault of information is often through a simple flaw in a single authorized user’s outdated applications. The typical mortgage company is particularly vulnerable because numerous people are involved in the transaction. Each one of these individuals, including the commercial mortgage broker and borrower, can be the source of the breach. This threat has only increased as more people have started to work from home, using personal computers and conducting business from numerous locations. 

The COVID-19 outbreak increased this risk, but the threat has been growing for some time. The exploitation of mortgage applicant information has been on the rise simply because more financial records are scanned and stored digitally for use at a later time. So, how does a mortgage company minimize these risks? 

Outdated browsers are the culprit of many hacks. Up-to-date internet browsers are a must for any business dealing with sensitive financial information. It is advisable to use Google Chrome or a similar browser that receives automatic patches and updates.

Microsoft support devices running Windows 7, Windows 2008 and Windows Mobile had an expiration date of Jan. 14, 2020, according to a report from cybersecurity company Forescout. The use of unsupported operating systems not only exposes a company to data breaches, it also can impact regulatory compliance by translating into fines.

Outdated installations of software such as Flash and Java are another serious threat to mortgage companies. Old versions of a program are a boon for hackers, so the best protection is to keep these software systems up to date and apply patches immediately when they are available. As cyberattack strategies become increasingly sophisticated, it also is wise for mortgage companies to run a security-risk analysis more often.

Third-party risk 

Commercial mortgage companies also should be aware of an increase in third-party provider breaches. Title companies and appraisers have not traditionally adopted standardized technology or cybersecurity controls, leaving the brokers and lenders who do business with them subject to attack. If a hacker breaks into a managed service provider (MSP), they can access a whole world of data from a huge sweep of sources. In this dire scenario, not only is the MSP breached, but so too are its clients and yours. 

The most basic of all defenses against security attacks is the employee password. Mortgage company employees must use passwords that are secure and unique, and these should be updated regularly. In fact, there are password-manager companies that automate and store complex passwords for other businesses. 

Regular backup of important files is critical. These backups should be maintained on media that is physically disconnected from an office’s local system — the cloud or an external drive are the best bets. Sensitive data should not be maintained on a local drive and customer information should never be transmitted over public networks.

Although basic security measures like these can go a long way in protecting a mortgage provider against cybercrime, today’s risks are increasing as criminals find new ways to steal information. To that end, cybersecurity tools exist to monitor network system traffic. Some protect information stored on external hard drives, Internet of Things (IoT) devices and laptops using embedded security to safeguard data beyond basic encryption. 

There also are security tools that protect email accounts from spyware hidden in email transmissions. Another great line of defense is a tool that can detect ransomware (malicious software that essentially holds a computer system hostage) in real time and prevents the corrupted software from running. 

Antivirus protection and basic security features can keep clients’ sensitive financial information from being hacked. Today’s cybercriminals, however, are constantly looking for new ways to attack. For mortgage lenders and brokers alike, the investment in security infrastructure and professional services is well worth the expense. You will not only protect your clients but also avoid compliance headaches, stiff fines and, potentially, severe damage to or even loss of your business due to a damaged reputation. ●


  • Al Alper

    Al Alper is CEO of Absolute Logic, Inc. ( and CyberGuard360 ( Since 1991, Absolute Logic has been providing Fortune 500-style technical support, security services and technology consulting to businesses of up to 250 employees within Connecticut and New York.

You might also like...