As the digital age surges forward, mortgage companies now have a new issue on their hands—cybersecurity.
Mortgage companies are at risk of cyber attacks on their information as well as compromising consumer's information. Trillions of dollars are lost from cyber crimes each year due to information breaches and attacks.
James M. Deitch, CEO of Teraverde Management Advisors, a national consulting firm in the banking and financial industries, sat down with MReport to discuss this growing issue and the potential risks it posses to the mortgage industry.
MReport: What issues do you think cybersecurity poses for the mortgage industry and who is most at risk for this kind of problem?
Deitch: Mortgage bankers have a couple of risks in the cybersecurity space. The first is the actual loss of data due to a breach where personally identifiable information is infiltrated by a hacker. The second risk they have is repertory risk, in that under Gramm–Leach–Bliley Act (GLBA) and various state regulations, that if a breach occurs there are really two tracks you go down:
- One is the Consumer Protection track to notify the consumer that their information has been lost.
- And then secondly, the Regulatory track, which indicates that perhaps the information security measures that are in place at the company are not necessarily all that they need to be.
- And then the third area is malicious attacks such as ransomware, where an employee opens an email or clicks on a website that has malware on it which proceeds to encrypt the employee’s computer and if not properly protected, that malware can propagate throughout the company’s network onto servers and encrypt the server, and literally bring the business to a standstill.
MReport: What are your experiences with cybersecurity in the mortgage industry? Can you refer to any personal experiences?
Deitch: There are a couple of issues that I’m personally aware of and helped remediate. One would be where an employee of a mortgage banker clicked on ransomware such as cryptolocker. The person realized that they clicked on something they shouldn’t of but didn’t really do anything to inform the IT team about it. And what happened was their computer was encrypted but it propagated back and encrypted the server at the mortgage banker. So within a couple of hours, the mortgage banker had to stop their operations and clean their server off and restore everything (on/from) backup which took a fair amount of time. And during that time your attention is on restoring the server not on customers. Fortunately that mortgage banker had backup, but in another case, where this occurred, and there wasn’t a good backup, and in that particular case, the lender had to restore a lot of information simply by rekeying it and taking the paper files and rekeying it from the original source data which takes a lot of time and introduces a lot of errors.
In another case, using social engineering, an employee of a mortgage banker was tricked into thinking that the CEO sent a request to wire $21,000 to a specific account and the email was spoofed. The person had done enough social engineering work to understand the habits of the CEO but that $21,000 was gone. And once you wire it, it’s gone.
So those are small types of issues in the whole scheme of things, nonetheless these losses are going on everyday.
MReport: How can mortgage companies adequately prepare for cyber attacks?
Deitch: The first item is to do a pretty broad risk assessment and just understand what the risk elements to the company are. One can do a social engineering susceptibility test that are fairly straightforward. They can either be done by the company or independently. The second is just to go through what is called “patch management,” just to make sure that all the updates on software, servers, or computers are all done. And to train employees on the techniques that hackers use to get in.
Hackers don’t usually smash through the firewall. They are usually invited in by having an employee click on an email that has an attachment or go to a website which has malware contained on it. And that malware can be downloaded onto a machine simply by browsing on the website.
Just the knowledge of the risks are important. If you’re driving along a windy road at night, make sure you turn your headlights on. That’s similar to if you’re winding through the roads where the Internet can lead, you’ve gotta have your headlights on and know the types of risks that come with social engineering.