The COVID-19 pandemic has been hanging over the mortgage industry and the rest of the country for more than a year. But among the rubble that remains from the destruction brought on by the pandemic, mortgage industry professionals may have found the rubies.
For mortgage companies and third-party vendors (namely title companies) that store sensitive borrower data, the pandemic may have unwittingly revealed several gaps or weak spots within their data-security network that might not have other-wise come to light. If not for the pandemic, these problem areas could have potentially turned up in a check of these internal systems and organizational controls, a process commonly known as an SOC-2 audit.
An SOC-2 audit includes a thorough review of what are collectively known as the trust services criteria, which include five principles — security, availability, confidentiality, processing integrity and privacy. With mortgage professionals suddenly working from home after the onset of the pandemic, gaps in these areas became exposed.
Chuck Bloodgood, chief architect and compliance officer with FirstClose, an Austin-based mortgage settlement services provider, offered more detailed points within the five trust principles that the pandemic may have exposed. “The bottom line is, the pandemic is exposing the quality and training levels of a company’s employees,” Bloodgood said.
- Security: With more employees working remotely, thinking about how digital traffic is managed has become more important due to the greater exposure risk through personal emails and files.
- Availability: Virtual private networks (VPNs) have become critical. Mortgage companies need to manage networks (and specifically firewalls) to ensure employees have access to the company’s essential computing resources while limiting access to nonessential data.
- Confidentiality: Technical and training issues have been raised because people are doing business outside the protection of company firewalls.
- Processing integrity: With so many employees working from home and executing processes remotely, it is up to individuals to use standard customer service processes. It is the responsibility of management to monitor these processes and identify issues before they become big problems.
- Privacy: Data must be protected since the potential for exposure is greater due to employees working at home — even if personal computers are being used.
The huge increase in the number of people working remotely is a potential issue because an employee’s home network isn’t typically configured with the same level of security as most businesses. Remote access to a company’s network has become a concern for information security specialists. Availability also is a concern as mortgage companies struggle to make their networks and systems available on a remote basis in ways never previously intended.
In addition, hackers have stepped up their malicious efforts, knowing that networks are less secure as employees access them remotely. The number of phishing attacks rose sharply over the first few months of the pandemic, and these attacks have grown more sophisticated, Bloodgood said.
Network vulnerability, data security and privacy, internet security and phishing may be greater concerns today, but according to Bloodgood, a good IT team is prepared to handle a global pandemic — even one with such a devastating impact as COVID-19. Understanding the potential exposures allows an IT team to address the risks.
A good IT team will have tools and training in place to mitigate exposures, such as multi-factor authentications; encryption on all home devices; use of VPNs; cyber insurance; and constant training on security awareness, phishing and other items. For a good IT team, these safeguards existed prior to the pandemic.
It has not been an easy adjustment for some mortgage companies, however, due to the sheer volume of data to be protected. With millions of individuals and thousands of businesses applying for pandemic-related financial aid, the volume of fraud has ratcheted up. SOC-2 audits help to tighten up various processes, especially those related to risk management, security control and training discipline.
“SOC-2 compliance is not the goal — excellent management, secure data and careful operations are the goals,” Bloodgood said. “A management team that identifies and manages risks as a normal part of doing business throughout the year is already running a constant cycle of readiness assessments and issue resolution. We use the SOC-2 standards to help define and prioritize the issues for resolution. If we do our job properly, SOC-2 simply becomes a spot check of a few hundred items we are already managing.”
Readiness assessments are part of being pro-active, which has become critical in the wake of several large-scale data breaches in the past few years. Performing a readiness assessment will give a mortgage company a distinct advantage in preparing for an audit.
First, it allows a company to identify and correct any deficiencies or gaps prior to the audit. When done in conjunction with an auditor serving as an adviser, the assessment allows the auditor to provide input and identify any potential concerns. Second, by undergoing a readiness assessment, an institution greatly reduces the chances of any material exceptions during the audit since the company and the auditor have essentially identified any potential roadblocks ahead of time. Third, it allows employees to understand what will be asked of them during the audit and prepare for it in a mock setting.
Being proactive as a company in reducing risk can help management develop good habits. Mortgage companies should not be reactive when it comes to information security. Being reactive creates feedback that someone is being lazy and has skipped over parts of the checklist. These omissions are not corrected and more occur in the future. One day this behavior may get noticed by nefarious parties.
A reactive position is never a good one to be in, especially during an audit. Mortgage companies that operate in reactive mode could be exposed to a loss of sensitive information, and there’s a high probability of human error resulting in a process or protocol oversight. Company executives need to think ahead by constantly evaluating risk under new circumstances and establishing protective measures before it’s too late.
SOC-2 audits have been evolving ever since they were introduced about six years ago by the American Institute of Certified Public Accountants. To Bloodgood, this organization’s focus on risk, vendor management and expanding the scope of these audits has been natural.
“Finally, think of the controls or processes that must be defined for non-system company resources,” Bloodgood said. “Consider the fact that most companies now have a distributed workforce and leadership. How do we demonstrate risks are known and managed properly for that environment? Also, when we assess our vendors, what do we want to know about their resiliency and capability to handle current and other future unanticipated conditions?”
A popular buzzword in the post-pandemic business world is “new normal,” and the way that mortgage companies and third-party vendors will prepare for future SOC-2 audits fits this description. The lessons learned during the pandemic will help mortgage companies compete for new business and retain existing business. The post-pandemic environment will have established a new normal for information security.
SOC-2 audits have become critical to businesses when it comes to the security of client data. But they have left an indelible mark on the mortgage industry and, in all likelihood, they will become a standard requirement for many business-to-business relationships. By having SOC-2 audit certification, mortgage companies can show their clients and business partners that they care about the security of transactions because they’ve put in the time, effort and money to do so.
Since mortgage and title companies deal with a massive amount of personal and confidential data, they need to demonstrate to their clients that they have the proper environment in place to protect this data. An SOC-2 audit is the most widely accepted way to normalize risk assessment across multiple companies. It answers a constantly unspoken question — does your vendor care enough about you to protect your company and your data?
This is a question that mortgage industry leaders should be ready to answer. If not, they may not like the answer that the SOC-2 auditor gives. ●