This feature originally appeared in the February issue of MReport.
Mortgage banking firms serious about managing cybersecurity risk must consider a variety of factors across the organization, including processes, equipment, facilities, human capital/people, industry knowledge, skills, and the use of third-party service providers. Doing so means there must be a commitment to having a robust risk-management technology solution that combines both internal controls and regulatory compliance that adequately encompasses these factors. Having such a technology solution is a critical lynchpin toward creation of a culture within the organization and amongst third-party service providers focused on understanding and managing cybersecurity risk and embracing necessary internal controls.
This is particularly critical given the myriad of sensitive, confidential, and customer/ investor-centric financial information that mortgage bankers house and are privy to—including loan origination, underwriting, deal structuring, and securitization, customer service, cash application processing, and loan servicing, on through to foreclosure, bankruptcy, REO processing, and asset disposition.
It is, therefore, necessary to have a technology solution that helps identify control and compliance gaps and which allows management to achieve its principal objective of taking necessary preemptive actions to ensure the protection of consumer and investor data.
Proactively Focusing on Prevention
Being proactive by taking preventative actions is crucial. Once cybersecurity risk has reared its ugly head and damage has been done, the organization’s road to recovery may be in peril. Mortgage bankers should consider having one end-to-end technology solution that can assist them in getting out in front of those latent and hidden risks that may cause damage—not only to each specific functional component of the mortgage finance organization (i.e. loan origination, underwriting, customer service, loan servicing, payment processing, collections, loss mitigation, default management, structuring/securitization, etc.) but also to the enterprise as a whole (i.e. whether it be a savings/commercial bank/investment bank, a broker-dealer specializing in trading, etc.).
Having multiple technology solutions is the least preferable option, as having more than one system only potentially increases the cybersecurity risks associated with housing proprietary customer and investor information on multiple platforms. Protecting the consumer’s private information needs to be front-and-center. If not, the impact that cybersecurity breaches may have on the mortgage business can be devastating. Data breaches involving investor information that may be held by a firm (i.e. the issuer, the sponsor, the securitization agent, the primary or master servicer, etc.) can be equally devastating.
Regardless of how low-interest rates being offered are, how high the quality of the customer service is, how good a job the firm does at default management and loan servicing, or how effective they are at minimizing loss severity, investors and consumers will undoubtedly take their business elsewhere once they lose confidence that their data is not being maintained confidentially and being adequately protected.
Data breaches involving consumer/investor data and information can be enough for any mortgage banking entity to lose business permanently. Aside from the potential financial impact, having just one data breach may be all it takes to shatter consumer/investor confidence and end the firm’s ability to operate as a going concern. Once the damage is done, it is too late to take remedial action after the fact. Therefore, taking preventative actions is crucial. At a minimum, such remedial actions should address the following:
• security incident and event management (SIEM)
• data loss prevention
• patch management and software vulnerabilities
• penetration testing
• firewall administration
• development of business continuity and disaster recovery plans (with related testing)
• vendor/third-party service provider risk management • systems security processes and procedures
• cloud security
• web application development and security reviews
• compliance with Sox, HIPPA, and other applicable government laws and regulations
Having a technology solution that focuses on prevention and encompasses the critical components of cybersecurity that are outlined above is indeed prudent and most optimal. Investing upfront in an appropriate technology solution can help forgo potential losses associated with data security breaches; by running the risk of not doing so [investing upfront], mortgage banking entities expose themselves to a wide array of issues. In addition to losses associated with data security breaches, mortgage banking firms also open themselves up to costs associated with lawsuits, fines, and penalties assessed by regulatory and governing bodies, etc. Data breaches may also lead to a decline in consumer/investor confidence, cause significant reputational damage, and result in the loss of existing business and/ or the forfeiture of new business.
Security Roadmap and Operational Risk Management
Preparing a comprehensive enterprise security roadmap and risk assessment focused on the mortgage banking entity’s overall information management effectiveness is critical. It is essential to have in place a security roadmap and a prepared risk assessment that encompasses a wide range of areas including network and server architecture governance, risk, compliance, operational controls, security policies, procedures, and oversight.
Such an assessment should include detailed information concerning security gaps, along with a prioritized roadmap to assist with reducing overall risk by helping to prevent and minimize security incidents and breaches before they occur. Controls and risks should be analyzed against ISO 27001 and NIST 800 security standards, as well as with other generally accepted industry practices. Having such an operational risk management infrastructure in place will likely build confidence (i.e. among regulators, investors, consumers) that the mortgage banking entity has the necessary controls in place to proactively safeguard against potential cybersecurity risks. This may be particularly true of regulators and investors who will have a deeper understanding of the risks associated with cybersecurity breaches.
Building a Comprehensive Security Program
Building a comprehensive security program that factors in applicable business laws, regulations, and standards is a key step in dealing with cybersecurity risk. Developing specific organizational policies and programs that create an overall risk engagement strategy is highly recommended. In addition, mortgage banking firms should have a robust and formal risk-management oversight program in place to ensure optimum value exists across all vendor and third-party relationships to maximize quality, strengthen control, protect information and data, minimize risk, and reduce cost.
Given the widespread use of third-party service providers and vendors across the mortgage finance industry (i.e. property valuation/BPO providers, wholesale originators, property managers, skip-tracing agents, foreclosure and bankruptcy attorneys, title agents, mortgage insurers, etc.), it is important that all third-party entities used have the necessary controls in place to protect and safeguard consumer and investor information and data. A robust and formal third-party vendor surveillance process must be put in place. More specifically, mortgage banking firms should have formal processes established to ensure that vendor/third-party assessments are done on a consistent and periodic consistent basis. Protocols should exist to help identify issues and ensure that necessary remedial actions are taken by third-party vendors being utilized.
Additionally, root-cause analysis should be conducted relating to any systemic issues that may be identified so that necessary controls and preventative actions can be deployed to prevent future data and cybersecurity breaches. Furthermore, poor performers and repeat offenders should be replaced with more qualified suppliers in order to safeguard information and contain risks associated with data breaches.
Risk and Control Self-Assessment
Having a robust Risk and Control Self-Assessment (RCSA) feature is an essential component of having a proactive and preventative cybersecurity risk management process in place. Firms should invest in a technology solution that allows management to perform targeted testing in advance of cybersecurity breaches. This is critical so that controls can be implemented and/ or strengthened as necessary. Furthermore, RCSA is a critical component that should be built into the cultural foundation of any mortgage banking organization so that the workforce is dedicated to continuously improving processes and underlying controls. Taking such a proactive stance, along with implementing process improvement routines that may be deemed necessary, can help avoid costly cybersecurity breaches. This will help to minimize or eliminate financial losses and prevent associated reputational damages.
Risk Event Management
Clearly, mortgage banking firms must embrace a technology solution that helps in preparing vulnerability assessments and penetration testing. A penetration test assesses the effectiveness of security controls by simulating a real-word attack that mimics current adversary techniques. Penetration testing is useful for illuminating unknown security weaknesses that could result in data being compromised.
This enables the organization to identify cybersecurity weaknesses and implement necessary safeguards and controls prior to an actual breach occurring. It also assists mortgage banking firms in developing a comprehensive set of documented cybersecurity policies and procedures through clear identification of control gaps opposite critical processes. It is critical to have a technology solution that can help determine the existence and possible exploitation method of vulnerabilities associated with network hosts, devices, and applications from the perspective of an intruder targeting the systems from the internet. Multi-factor authentication and risk-based authentication is necessary to protect against unauthorized access to private non-public information or systems.
What About the RMBS Process
Of course, it goes without saying that the entire mortgage-backed securitization process is at risk relating to cybersecurity weaknesses and attacks. Deal structurers, issuers, sponsors, private-label investors, government-sponsored entities (GSEs), bond/mortgage insurers, and trustees—to name a few—are all vulnerable when it comes to the protection of data relating to mortgage securitizations. From tape cracking, to data aggregation, to putting together confidential deal documents, to protecting and sharing proprietary borrower information—the threat of cybersecurity weaknesses and attacks are very real and pose significant risk to all parties involved. In a mortgage software solutions blog published back in May 2015, author Justin Kirsch noted that “the mortgage industry is particularly vulnerable to digital breaches because of the number of parties involved in the sharing of sensitive data.”
Since that time, security breaches and other disruptions have only increased due to the rise in more advanced technologies and increased sophistication of cyber predators. The proprietary and confidential nature of in-process deal securitizations is also subject to cybersecurity attacks. As a primary example and to further illustrate this point, consider the sponsor—the firm that has originated or purchased a given quantity of mortgage loans, groups them together to form a pool and subsequently issues security backed by underlying mortgage loans. In the ordinary course of business, the sponsor will acquire and store sensitive data—including intellectual property, proprietary business information, and personally identifiable information of prospective and current borrowers, employees, and third-party service providers.
Given the criticality of the secure processing and maintenance of this information, the loan sponsor’s information technology and infrastructure may be vulnerable to attacks by hackers or breaches attributable to employee error, malfeasance, or other disruptions. Any such breach could compromise its networks, and the information stored therein could be accessed, publicly disclosed, misused, lost, or stolen. Any such access, disclosure, or other loss of information could result in legal claims or proceedings, regulatory penalties, or liability under laws that protect the privacy of personal information, disruption to the loan sponsor’s operations and the services it provides to customers, or damage to its reputation—any of which could adversely affect the operation, reputation, and competitive position of the loan sponsor and, in turn, the borrower.
Effectively managing cybersecurity risk cannot be accomplished without having a suitable endto-end technology solution that enables management to proactively take preventative measures before a breach occurs. Having an automated and robust risk solution for managing operational risk, internal control, and regulatory compliance is critical so that mortgage banking firms have the essential tools that are needed to effectively manage cybersecurity risk and undertake the necessary preventative actions ahead of security breaches.