2016 was a difficult year for cyber attacks — the number of data breaches in the United States reached an all-time high of 1,093, up 40% from 2015. While it has been spared thus far by nation-state hackers, the U.S. mortgage industry supply chain is a massive target for information security breaches.
The vulnerability lies in the fact that the security posture of the vendors in a mortgage company’s supply chain is often inadequate. The top cyber risk issues in the mortgage supply chain include poor prevention of web-script abuse attack, insecure web connections, poor cryptography, weak domain health and large attack surfaces.
Mortgage industry enterprises must no longer just “trust” their vendors, because point-in-time audits are insufficient to monitor vendor security.
Security risk and the haves and have-nots
The mortgage market suffers from a security dichotomy — “haves” vs. “have-nots.” The biggest players boast well-advanced security and large, dedicated security teams. Smaller companies struggle to maximize limited security teams, implement complex technology and stay on top of shifting regulatory requirements. Often banks are highly regulated and invest significantly in their own security. But, nonbanks, bank partners and vendors are not necessarily as vigilant. This means that the risk of a major attack is growing.
Automation and the “digital mortgage” are disrupting the traditional origination process, but this disruption comes with increased interconnectedness and sharing of borrower data with many third parties. There are more data processing partners, which increase the amount of data exchanges in the name of speed and convenience for the borrower.
Accordingly, the number of paths for a hacker to access a bank’s data is growing, and the new entrants have immature or non-existent third-party risk programs. These companies tend to be smaller and tend to utilize sub-servicers to perform their servicing. The sub-servicers generally have immature security programs which makes them open to attacks.
These non-banks and vendors are a good hacker target because financial data is highly desirable on the black market. Deep-rooted connections and constant transfer of consumer data within the industry creates a ripe ecosystem that can more easily be leveraged to exploit organizations across the entire supply chain. Homebuyers are a good “target” demographic because they have other valuable digital assets like credit data that can be stolen. This combination makes mortgage companies an attractive target.
Financial and regulatory impact
Hackers can steal data on an estimated 60 million U.S. mortgage records with an estimated possible financial loss of close to $60 billion. If a breach happens, a mortgage company might not believe it is their fault. But the truth is, whether they’ve collected the data, or received the data from another firm, the mortgage company is on the hook in the liability chain. A mortgage company does not escape liability simply because it handed the data off to another, or because it may have received it from another.
Most companies are significantly under-insured for such a liability. In fact, cyber risk insurers are growing more sophisticated and providing for exclusions that preclude coverage in common situations. For example, phishing (acquiring information that is provided voluntarily in response to deceptive communications) is a common exclusion – yet over 30% of attack vectors involve some form of phishing. Policies also often have tight limits on pain points associated with a breach, and insurance policies normally will not cover losses associated with a supply chain vendor’s mistakes.
And how will mortgage companies handle the fines handed down by regulators such as the Consumer Financial Protection Bureau, Office of the Comptroller of the Currency or the Federal Trade Commission? Even if the company escapes the regulators, many litigious lawyers and victims will seek damages ($200-$1,000 per record liability). Regulators and plaintiffs’ lawyers have been active, and are becoming more active, but there are even worse scenarios that can arise in the mortgage industry involving data security.
Presume a lender has done everything correctly in data security, and its servicer that holds personal information that has been collected from borrowers has a breach, and that breach is not disclosed to the lender (and perhaps the servicer is unaware of the breach). The lender then learns of the breach by an inquiry from the FBI, after finding a data-dump containing its borrowers’ data on the dark web.
After spending millions on investigation and notification, the CFPB, FTC and state attorneys general bring enforcement actions against not only the servicer, but the lender as well, for failing to comply with state and federal laws on data security that require “reasonable” precautions and vendor monitoring.
Keeping mortgage companies safe with continuous monitoring
The industry’s current process for monitoring supply chain vendor security is point-in-time audits, “trust but not verify,” and relies upon contractual agreements. A mortgage company may think a servicer is secure based upon their annual audit results, but through continuous monitoring, the mortgage company can see the servicer’s cybersecurity posture between point-in-time audits.
The poor security problem is too big for one company to manage alone, and requires all participants in the mortgage ecosystem to embrace new approaches as part of their overall IT and security risk management programs.
The technology is available for continuous monitoring of third parties combined with active assessment and enforceability of security contract provisions. By pursuing a proactive third-party risk management approach across the expansive (and likely unknown) mortgage supply chain, organizations will improve their overall security performance while strengthening the entire supply chain ecosystem.
In order to mitigate risks and defeat offensive cyber attacks, mortgage companies must commit to:
- Proper security frameworks and policies that secure data both inside and outside of the organization;
- Assess which vendors and third parties may directly create a risk (cyber, business impact and legal) and become the source of a data breach;
- Work with experts that can help assess and manage the risk across the supply chain and build better defense-in-depth to prevent a breach;
- Use tools and analytics that are specially designed to monitor and assess the security posture of vendors in real-time, as well as improve contractual provisions that result in greater security performance.
The mortgage industry is a critical component of the U.S. economy, transacting trillions of dollars in loans annually. The complexity of the supply chain to originate and service a borrower’s loan is high with a borrower’s data exchanging hands across many parties. Additionally, information security practices, levels of security investment and maturity are widespread. Given this risk profile and the data exposure, the mortgage supply chain is at high risk for nation-state-level cyber attacks.
Continuous monitoring is available and needs to be the industry standard to protect data, but also to protect the industry players. With continuous monitoring, mortgage companies can identify vulnerabilities and pro-actively mitigate them before they become hacker targets.