How to ensure mortgage vendor outages don't disrupt business

March 20, 2024 3:00 AM

While lenders need contingency plans to put into action if a cyber attack debilitates their in-house systems, they also need to ensure the flow of business is uninterrupted in the event that a vendor's technology goes offline.

To get an idea of what they must do, consider the temporary shutdown of some title systems seen recently, said Donna Schmidt, managing director and owner of vendor DLS Servicing and co-founder of a technology called Waterfallcalc.

The system outages at Fidelity National Financial's Servicelink and First American illustrate the value of working with multiple vendors, she said.

Anyone reliant on just one title vendor could face procedural delays. In an area like default servicing where a title report is necessary to determine whether a modified loan can stay in a first lien position, it could jeopardize the ability to meet certain deadlines.

Once default servicers have the information needed from a borrower to make a decision on a loan outcome like a modification, they have 30 days to deliver it under Consumer Financial Protection Bureau rules.

Companies with multiple, pre-existing vendor relationships may not skip a beat in such tasks when system outages arise.

"They can keep plowing through what they have to get done. Others may have issues with delivery times," said Schmidt.

That's because the approval process when signing a contract with a new vendor often requires more time than mortgage companies have if they want to avoid delays, she said.

The CFPB's 30-day rule is just one of many time-sensitive tasks servicers have to fulfill promptly to avoid expenses.

"When you're dealing with anything in the default area, you are up against a very firm deadline that could cost you money," Schmidt said

That's why she's been advising clients to have multiple vendors in areas where they're really needed.

"We're telling our clients to start looking at some redundancies in critical situations. Property inspections is another one. You have to do property inspections between 45 and 55 days in order to get reimbursed by HUD," said Schmidt.

While the thin profit margins in the industry might make a mortgage company think twice before investing in contracts with multiple vendors, her company and some others do charge on a per-loan basis, which makes it easier to keep them on standby, she said.

"You can send all your business to one vendor, but you should have a relationship with another one as a backup to cover you if you can. I think we have to get there in these days of cyber attacks, Schmidt said.

Tips for lenders

A vendor outage or one that occurs in-house due to a problem at a third-party have shown the potential to interrupt business in both originations and servicing.

"Having backup vendors and good vendor management policies in case third parties create counterparty risk is paramount," said Matt VanFossen, CEO of Absolute Home Mortgage Corp.

While some vendors have a per-loan charge that makes having a second provider in reserve more viable, in other cases it may not be feasible to have something like a second loan-origination system immediately at hand.

LOS issues have been a concern lenders have been wary of for years. A 2014 outage at Ellie Mae related to what was later confirmed to be a DDOS attack was one historical development that highlighted the risk.

In that case, the shutdown of the widely-used system delayed closings and created the need for additional hedging and rate-lock expenditures.

Even if it's not feasible to have a backup vendor, lenders should check on whether their providers have their own redundant systems, and possibly use "cold storage," an encrypted, offline repository of data that stays available when online systems go down.

Protecting data

Encryption and other steps that protect any customer information that could be exposed to or by a third party, regardless of whether it's offline or online, said Hilary Jewhurst, the head of third-party risk and advocacy at Venminder.

Cold storage is "where you should have your information security expert weigh in," said Jewhurst, whose company provides technology for vendor management and due diligence services. It also operates as a think tank with a free repository of information.

Having a secure in-house data backup for any company information distributed to a vendor or otherwise can be a helpful preventative measure in the case of ransomware attacks that mortgage companies like Loandepot or Flagstar have experienced.

Mortgage companies should know if their vendors have data backups too, said Jewhurst. Lenders and servicers also should be aware of how often those backups occur.

"So if something goes offline at 4 p.m., you'll know whether you're losing, say 14 hours of data versus months of data," she said.

Security is particularly important in data backups and otherwise given lenders and servicers hold a lot of their customers' personally identifiable information, a circumstance that can expose mortgage companies to risk through vendors.

Fairway Independent Mortgage and Planet Home Lending are recent examples of firms that have faced lawsuits alleging they're responsible for exposing customer PII, even though both say the respective incidents occurred due to a third party's vulnerability.

When asked about tips for managing PII when working with vendors, Jewhurst said one message she's been trying to get across to companies is the need to know what specific types their third-party providers' systems touch.

"Not only should you know how they handle that data and what their cybersecurity practices are, but you should absolutely be able to, at a moment's notice, be able to know exactly which components have PII they handle," she said, referring to items like Social Security, driver's license, passport, and credit card numbers or account balances.

Financial institutions may want to consider what vulnerabilities there are even with business partners that aren't in the technology business, Jewhurst said.

A bank distributing gifts from a florist to wealth management customers through a technology system or otherwise could be a PII violation because it could identify those people to the vendor as high net-worth individuals.

Making it manageable

The florist example shows how far-reaching the risks can be and how difficult it might be for mortgage companies contending with budget limitations to take steps to get their arms around and address.

To address that concern, Jewhurst recommends starting by prioritizing compliance with cybersecurity requirements imposed by regulators and key counterparties like the Federal Housing Finance Agency or Ginnie Mae, and identifying the biggest sources of risk.

"You don't have to put the same level of attention on all your vendors," she said. "Generally speaking, for most organizations, about 10 to 15% of their totals and our portfolio is going to be critical. That's going to help you narrow your scope quite a bit and if you have limited resources."

To determine which vendors are the most critical, Jewhurst advises starting by considering the extent to which an interruption in their systems for a particular period of time would affect them.

"We recommend that people understand criticality and three key questions," she said. "One is if a vendor goes offline for more than 24 hours, is it going to materially disrupt our business? Is that disruption going to affect our customers? And what if it takes us more than 24 hours to get back online?"

Aspects of key vendors that mortgage companies should review include any critical third-party exposures those companies themselves have and also the limits of any cyber security coverage they carry. The latter is best assessed by a verified insurance expert, she said.

Jewhurst urged mortgage companies to take such actions soon if they haven't already given the prevalence of cyber crime in the industry.

"You can do an awful lot before the incident ever happens to reduce the impact, and these days things are going to happen," she said. "If you get breached, it's everything you do before that breach that's going to make the difference."