Originators have a stake and role to play in protecting data
Security breaches are a pervasive problem in the mortgage industry, but mortgage originators may not realize how important it is for them to be conversant in the latest systems, threats and best practices in cybersecurity technology. If originators are untrained in security practices and in the dark about top-line threats, they put their careers as well as private borrower data at risk.
Financial-services companies are highly desirable targets for cybersecurity bad actors. The average annualized cost of a cyber-security breach to a financial services company in 2016 was $16.53 million. Financial services companies were attacked 65 percent more often than companies in any other industry in 2016, with more than 200 million records breached. Unfortunately, according to security consultants Teraverde and Tangible Security, the pressure to produce more and lower costs can compel some mortgage companies to compromise security for speed.
Originators handle large amounts of borrower data, which is worth a lot of money to cyber criminals. That alone should motivate originators to guard against security breaches. But, according to cybersecurity and data-privacy attorney Shawn Tuma, mortgage company officers also may be held personally responsible for data damages from data breaches.
On a more practical level, borrowers know cybercrime is a huge threat. They need originators whose systems are streamlined and safe. In a crowded mortgage marketplace, borrowers are more likely to select originators who understand cybersecurity and can intelligently address their concerns.
Originators need to pay attention to more than the devices, networks and software via which they handle customer business. They must be careful and diligent in maintaining personal habits and business methods that deter information theft. Here are five things originators should do to secure their clients’ information.
1. Evaluate your security
With every processed loan, loan originators and borrowers are likely to communicate across various devices from multiple locations. Whether working for a major institution or as an independent broker, astute and aware mortgage professionals should understand the general strategy, technical characteristics and proven effectiveness of the security platforms that protect client information.
Originators should have basic knowledge of the most prevalent types of predators and tactics, types of encryption and firewalls, reputation of third-party vendors and the track records of competitors. Environmental awareness also includes non-technical diligence. Do not leave computers or papers unattended in the office or when working remotely.
2. Conduct an inventory
A formal data and risk analysis can help mortgage companies and their employees guard their clients’ data and protect themselves from damaging litigation as well. Although there are various resources available, a good place to start is the Cyber Assessment Tool published by the Federal Financial Institutions Examination Council (FFIEC).
Lending-industry consultant Jim Deitch calls the Cyber Assessment Tool a starting point. One of the tool’s drawbacks, according to Deitch, is that it doesn’t account for the numerous external originators that many companies employ. Without a desk in the office, these external originators may be using unsecured Wi-Fi connections — in real estate offices or coffee shops — while handling sensitive borrower data. Deitch’s point is that any data and risk inventory “must adapt to the context of the bank or lender’s business model.”
3. Check cyber insurance
Although it is not required by law, many lenders and mortgage companies maintain cyber insurance policies. Originators should know whether they are covered as an employee or agent, and to what degree they are covered.
According to the Ponemon Institute, a research center focused on data security, data breaches cost on average $245 per compromised record this past year. How many records are in your personal database? It is important to find out what kind of coverage your employer has and what practices you must follow to avoid personal risk.
4. Train and retrain
Every originator needs to learn the essentials of cybersecurity risk and awareness, and stay up-to-date on new threats and prevention techniques. Originators who work for large companies can gauge their overall security competence by the amount and quality of their required training, which should extend beyond a single orientation session when they are hired.
It is easy to forget practices, policies and procedures, according to security consultants Roshni Patel and Daniel McKenna, and cyber threats are constantly evolving and expanding. Loan officers should receive regular training on cybersecurity best practices and on the latest hacker techniques. Training also should focus on seemingly innocent behaviors that could put borrower data at risk, such as leaving your computer or phone unattended when you step away for a moment.
5. Report everything
Although lenders and mortgage companies devote significant resources to guard against threats, the Poneman institute reports that most of the companies they surveyed devote less than 10 percent of their security budget to responding to threats. It is critical, therefore, for originators to identify and report every abnormal online occurrence they see, no matter how fleeting or trivial.
Did you accidentally open an unknown or unwanted e-mail? Did you have trouble log-ging on to a trusted site? Are you receiving strange pop-up messages? Don’t just erase or block them. Tell your supervisor or the security lead of your information-technology department about suspicious activity, including office visitors looking over shoulders or at unattended computers. Unless originators immediately report all potential threats, costly data breaches may go undetected.
Rather than becoming an expert on the latest, most damaging hacks and viruses, originators simply need a general knowledge of safety procedures and to know how to advise their borrowers on the dangers related to digital-loan processing. When one kind of malware is successfully eliminated, a new menace always seems to take its place. The best solution is to be careful and cautious in using technology from origination through closing.
“This article originally appeared in Scotsman Guide.”
To learn more about staying relevant in the mortgage industry, please sign up for our newsletter.