Cyberattacks are on the rise, and they are growing in complexity and sophistication. Financial institutions are a particularly attractive target due to the vast amounts of sensitive data they maintain. Mortgage originators of all shapes and sizes, including retail banks, community credit unions and other
Lenders play a critical role in the mortgage workflow by requesting, processing and storing large quantities of personally identifiable information about consumers who seek loans. This includes names, addresses, phone numbers, dates of birth, tax information and Social Security numbers, as well as bank and brokerage account numbers. The data also includes other details valuable to cybercriminals when aggregated with other sources of information about a target, including their credit scores, salary, employment history and electronic signatures.
The mortgage lending process typically involves the need to transmit data to various third parties, creating a dizzying array of document-management portals, information communicated via unsecured email and reams of paper containing sensitive information. Remote workforces have increased cybersecurity risks.
Regulatory risk
Fortunately, the mortgage industry is not facing this battle on its own. While industry-specific requirements arise in certain subsectors, much of the applicable guidance around cybersecurity for mortgage lenders is similar to best practices for the entire financial-services sector.
The Gramm-Leach-Bliley Act, passed more than 20 years ago, demonstrated the federal government’s interest in protecting personal information and privacy. It mandates that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In order to better protect personal data, institutions must give consumers notice of information-sharing practices and the chance to opt out.
This interest in privacy has been extended with the California Consumer Privacy Act, the California Privacy Rights Act and similar legislation in other states. Formulated to mirror the European Union’s General Data Protection Regulation, these laws spell out consumer rights — including the right to opt out of personal data being stored, to correct inaccurate information and to request data be deleted. These state-based regulations mandate informed consent for data practices, requiring businesses to disclose the kinds of data they collect, what they do with the data and how long they will keep it.
Industry regulators are not shy about enforcing compliance. The Federal Trade Commission (FTC) has dealt with cases of privacy, data security and identity theft issues that involve spam, spyware and other privacy violations on more than 200 occasions in the past 20 years. The most notable cases involved companies misrepresenting the extent of security controls they deployed to protect consumer data.
Identity theft is a particular concern for institutions that handle mortgages and it is regulated through the FTC’s Red Flags Rule. An identity-theft prevention program must include reasonable policies and procedures to identify potential red flags — or warning signs of identity theft — that might occur in a company’s day-to-day operations. It also must detail appropriate actions the company will take when red flags are detected, and state how the company will stay up to date with new threats. The FTC is seeking to ensure that institutions do not simply create an identity-theft policy but actually implement these due-diligence practices into all operations.
Governmental guidance
The Federal Financial Institutions Examination Council, an interagency body of U.S. banking regulators, offers a supplemental, voluntary cybersecurity assessment and cloud-computing guidance. This assessment also provides more in-depth guidance on data-protection risks when storing data with a third-party cloud-service provider — a process inherent in many mortgage transactions.
Since 2014, the Federal Deposit Insurance Corp. has urged financial institutions to be aware and receive guidance from several groups. These include the U.S. Computer Emergency Readiness Team, the U.S. Secret Service Electronic Crimes Task Force, the FBI’s InfraGard, and the Regional Coalitions Information Sharing and Analysis Centers.
The Office of the Comptroller of the Currency (OCC) also has provided guidance with an emphasis on response and resilience capabilities, authentication and system configuration to help companies deal with cyberattacks. These include maintenance of an incident-response plan and a data-backup strategy. The OCC also suggests restricting access to data based on job function, and to regularly review networks and software systems for updates. When monitoring third-party cloud-service providers, OCC’s guidance states that companies that outsource functions still bear responsibility for the data and should be aware of subcontractors.
The Financial Industry Regulatory Authority (FINRA) — an independent, nongovernment organization that regulates securities companies — released a cybersecurity risk report earlier this year that can be useful for all financial institutions. FINRA detected an increase in cybersecurity-related events for companies that included systemwide outages, email account takeovers, fraudulent wire requests, imposter websites and ransomware. In order to combat these incidents, FINRA compiled a list of effective practices, including insider-threat and risk management, incident-response planning, system patching, asset inventory and change-management processes.
Finally, state regulations also may present additional obligations. The New York Department of Financial Services’ Cybersecurity Regulation requires covered entities, including mortgage companies that are not otherwise exempt, to maintain a written information security program that includes regular risk assessments and testing. Even mortgage servicers that are exempt under the law should nonetheless consider adopting and implementing reasonable cybersecurity controls, since cyberattacks do not discriminate between regulated and unregulated firms.
Best practices
The mortgage industry can benefit from leveraging financial-sector best practices, particularly since financial services are designated by the U.S. government as one of 16 areas of critical infrastructure.
The National Institute of Standards and Technology (a part of the U.S. Department of Commerce) provides a cybersecurity framework, which is a useful tool to assist organizations in flagging gaps in their cybersecurity controls across key risk areas. This framework is organized into five functions — identify, protect, detect, respond and recover — which are then subdivided into more granular areas. Federal agencies are now mandated to follow this framework, but its use is voluntary for the private sector. Nonetheless, the framework is beneficial to mortgage lenders of all sizes and levels of technical expertise.
These best practices can allow a mortgage originator or lender to reduce the digital footprint that hackers seek to exploit. The guidance suggests that companies implement the principle of least privilege, with staff access assigned through role-based permissions in accordance with job responsibilities.
Companies should mandate secure, encrypted document-management portals to upload all requested documents that contain personally identifiable information, and they should avoid unsecure email for file transfers. Laptops used by staff, particularly those working remotely, should be encrypted in transit through virtual private networks.
The best practices also suggest implementing strong, complex passwords combined with multifactor authentication for all staff (and all applications, especially email and file-sharing portals).Companies should harden network end points by updating malware protection and patches, changing default passwords and securing mobile devices.
To protect against ransomware, companies are recommended to perform regular backups of critical data, including storing data offline. Data should be classified by sensitivity. Cybersecurity procedures should be written, maintained and include regular training for staff. Simulated phishing, vulnerability and risk assessments should be conducted regularly. The guidelines go deeper to suggest that offices need to be safeguarded with door locks, keypads, visitor-access policies and the use of shredding bins for paper documents.
● ● ●
Consumers have come to expect that the information they provide as part of the mortgage application process will be adequately safeguarded from unauthorized access or theft. Regulatory requirements aside, lenders and the originators who work with them are wise to tackle cybersecurity risks as their business depends upon it. Cybersecurity risk is a business risk. The protection of sensitive data is critical to the success of the mortgage origination market — both in terms of reputational risk and the ability to manage operations without succumbing to a cyberattack. ●
