Real estate finance firms "are subject to the weakest link (security breaches) just like anyone else," says Bob Childress, CEO of Solace Insurance and 30-year industry veteran, especially smaller-size companies.
Cybercrime reports about data security breaches caused by bad guys in another country tend to overshadow great "internal risks that are rarely in the news" unless the name of the company is well known to most readers, like Target, he explains.
What makes things worse is that due to the borrower-centric nature of their business housing finance companies tend to suffer bigger cybercrime related costs.
"It does not have to be a million-plus records stolen to ruin the reputation of the mortgage company/title company/real estate company. It just has to grow legs in the community they work in and the trust is gone."
So-called spear phishing is a big risk these companies face, he adds, because it consists of a well camouflaged email fraud. Email is sent from “known” sources with links designed to trick recipients to click on, and as a result enable the criminals to gain access to computer key strokes so that when the computer owner sends an email containing consumer data not knowing that the computer is infected, the data are also sent to the criminals.
Cumulative costs of critical PR, consumer credit monitoring services, consumer reimbursement of lost funds, or consumer protection law violations, bank fees and related future revenue losses, can even destroy a business, according to Childress. In his view, sophisticated technology and cyber liability insurance can help mitigate losses.
Everyone, despite their industry, knows that businesses can limit financial loss suffered from internal and external data breach risks by securing cyber insurance, "but a majority of organizations are foregoing protection."
Media reports of state attorneys general investigations indicate regulators' assistance can go only so far. Target’s nationwide data breach, during which tens of millions of credit and debit card records were stolen from the servers, resulted in over $70 million in losses, three class-action lawsuits, and more than $5 million in damages being sought, he says.
Childress maintains that as the world has become an Internet-centered arena, "the propensity of cybercrime has grown, and with it, the need for small to medium-sized enterprises to protect themselves against cyber theft." Adequate cyber protection, he adds, should also include Internet security training for employees.
Whether small- to medium-size business owners are becoming more aware of their cybercrime protection needs or not, service providers are trying to get ready for the demand.
Keynote, a San Mateo, Calif.-based provider of cloud-based testing, digital interaction monitoring, and analytics that collects over 700 million mobile and website performance data daily, has acquired Meucci Solutions, also a global services provider that specializes in mobile fraud detection and end-to-end quality of service monitoring technology.
The acquisition is expected to enhance "Keynote's ability to move fast into important adjacent, complementary and fast growing markets," executives say, while Thoma Bravo, the private equity firm that acquired Keynote in August 2013, restructures it as a private company.
Keynote DeviceAnywhere, a cloud-based software platform for automated QA testing and monitoring of mobile apps and websites on real smartphones and tablets and Meucci complement Keynote SIGOS, says Jennifer Tejada, president and chief executive officer of Keynote. The merger will allow both companies to continue to grow and implement the investor's goal to keep Keynote on a transformative fast growth path alongside growing demand for cybercrime prevention. Meucci adds a mobile, "highly scalable" fraud solutions platform.
Digital fraud costs in other industries indicate the mortgage industry faces equally high risks. For example, the interception of international calls and theft of interconnection fees is costing the wireless industry in emerging markets and governments globally an estimated $2.9 billion every year, according to Tejada.
More companies are adopting their business strategy to the new marketplace.
"The theft of consumer information from loan documents, particularly the loan application, which has significant financial information about the consumer, is a risk commonly seen in the mortgage industry," agrees Sanjeev Malaney, CEO of Capsilon.
Last year the San Francisco-based provider of cloud-based mortgage loan document management for lenders and investors increased monthly recurring revenue by 66% and its U.S.-based staff by 180%. Since January 2013 when Capsilon acquired DocVelocity, a document imaging distributor of Capsilon’s technology, from Flagstar Bancorp, says Malaney, new software development has been part of efforts "to increase market share." This year the company opened new offices in Troy, Mich., and Irvine, Calif., and has taken additional cyber risk protection measures.
Capsilon does not accept credit cards, Malaney explains, but is responsible for complying with the Gramm-Leach-Bliley Act, which requires companies that provide consumer financial products to explain their practices regarding information sharing and to safeguard sensitive information.
"Hence, there are extensive levels of access security built into our infrastructure, backed by cyber risk insurance and ongoing intrusion testing and monitoring."
In addition, Capsilon requires "training and testing for all employees on security procedures and policies," he says, which is completed upon hire with annual training and retesting every year.
Cyber risk exposure "is a moving target" that varies depending on the volume of online transactions and number of employees that have access to the database, Childress says, so the budget for coverage would be commensurate to the company size.
"It's a reputational damage issue that costs money," because not all companies, especially smaller-size firms, prepare for it.