Cybersecurity impacts all corners of the business world, and mortgage lenders are particularly susceptible to digital safety breaches because of the large number of third parties transferring sensitive data between the origination, servicing and securitization sectors.
‘Any time data is in motion, it's very vulnerable,’ says Bill Wansley, senior vice president at security consultant Booz Allen Hamilton in McLean, Va. ‘When it's in motion, it is not always encrypted.’
Despite increasing news reports about compromised online data and a U.S. Securities and Exchange Commission requirement that publicly traded companies report security breaches, the problem may actually be under-reported.
‘You just don't see small institutions reporting a breach,’ Wansley adds, noting that firms worry the revelations could hurt confidence in them. ‘There's probably not an institution out there that hasn't been penetrated.’
As mortgage banking receives an increased level of attention from the media and politicians, it is also catching the eye of cyber criminals.
‘It's more of an attractive target by its very nature because the application for a mortgage loan digs deeper into a person's financial life than any other application,’ observes Mary Beth Guard, executive editor of BankersOnline.com and BankingQuestions.com in Oklahoma City, which provides compliance and training help to financial services firms. ‘If cyber thieves can access a treasure trove of mortgage applications, they have everything they need for an identity theft.’
According to Wansley, cyber criminals consist of three primary groups: ‘hackivists,’ organized crime factions and foreign nationals. Each group has a strong interest in targeting mortgage banking operations: Hackivists mainly aim to embarrass companies, organized crime factions steal data for identity theft and other profit-generating schemes, and foreign nationals use stolen personal data as a means to steal corporate intellectual property and examine confidential financial data for potential investment decisions.
Wansley believes that cyber crime is so extensive that companies should presume their systems are already compromised and, thus, constantly scan their systems and work to purge malicious code. Hackers can leave malware that remains unseen on a company's system but silently collects sensitive data and sends it out at night.
‘We have never got into a major institution and not found some of this malware,’ Wansley says. ‘The perimeter fence mentality just doesn't work anymore.’
While large banks have invested substantial sums in sophisticated cybersecurity, many smaller financial companies have not put money into that level of protection. However, cyber criminals are not picky when it comes to selecting their prey.
‘Criminals are looking to target opportunistically any kind of organization that they can,’ says Mike Urban, director of financial crime risk management solutions at Brookfield, Wis.-based Fiserv, warning that small firms can no longer think they can ‘fly under the radar.’
Last month, the DHI Mortgage subsidiary of D.R. Horton Inc., the country's largest home builder, suffered a software security breach in its Internet loan prequalification system. DHI Mortgage said it immediately isolated the affected server, purged affected files, modified its electronic security measures to address the specific issue, and notified affected customers that their personal data might have been compromised.
‘Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers' online accounts,’ says the Federal Financial Institutions Examination Council (FFIEC), an umbrella group of regulators. ‘Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.’
However, the news is not all bad for smaller mortgage firms. Many protection methods are relatively inexpensive, according to Wansley, who adds that simple changes to software architecture can improve protection.
Also important in fighting cyber crime is staff training. Guard recommends one technique that involves employees being split into groups to figure out how criminals can exploit any weakness in the company's system.
‘It's sometimes scary to see what employees can come up with,’ Guard says.
Joe Dombrowski, chief mortgage strategist for Fiserv, recommends that mortgage firms consider industry standards for data storage, disposal, transferring and auditing, and use ISO standards as a goal.
‘People expect that of large companies, and now smaller companies are starting to adopt some of those standards,’ he says.
There is also financial protection available. Mortgage Builder, a loan origination system provider in Southfield, Mich., routinely audits its cyber safety program. However, it also carries cyber liability insurance.
‘If all else fails, we still have that insurance,’ says Ben Wrona, marketing director.
The FFIEC urges financial services companies to implement multiple layers of identity protection, including cookies and challenge questions.
‘Since virtually every authentication technique can be compromised,’ says the FFIEC in its supplementary guidance, ‘financial institutions should not rely solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security.’
Michael Kling is a former editor of Secondary Marketing Executive and a financial writer based in Stratford, Conn.