Mortgage companies should model cybersecurity protocols after their compliance strategies to avoid being underprepared in the event of a data breach.
A robust cybersecurity plan should include technology, as well as routine checklists, testing and other measures to ensure an organization remains vigilant.
While this approach mirrors how lenders and servicers ensure compliance with regulatory and investor requirements, companies must understand that being compliant doesn't automatically keep their data safe, said Tom Clerici, director of the cybersecurity practice at technology consulting firm Arraya Solutions.
"There's compliance, and then there's security," Clerici said during a panel at the Mortgage Bankers Association's National Technology Conference, held this week in Detroit.
The mortgage industry is notorious for being slow to adopt new technology, and it may be exhibiting similar behaviors when it comes to cybersecurity practices. One of the major reasons the mortgage industry isn't very tech-forward is because of the strict compliance requirements for any new enhancement or capability.
The mortgage industry is "a space that strangles innovation. There are regulatory and compliance burdens and they're kind-of passed along to technology partners," Roostify CEO Rajesh Bhat said in an interview.
The reality is, data breaches happen. And as the mortgage world finally heads in a digital direction, the risk of an incident becomes even more likely, meaning lenders and servicers can't afford to fall behind on cybersecurity efforts like they have with adopting other types of technology.
Preparedness is one of the most important factors in minimizing risk. Whether it's practicing good habits with employees or knowing how to respond post-breach, a company's level of preparation will ultimately dictate how much of a hit it will take should data be compromised.
Companies can employ routine exercises, like phishing tests, to promote good habits with things like detecting fake emails and not clicking links from unknown senders.
Some other good protection efforts include enabling password resets every few months and limiting local administrator rights for employees so they aren't able to freely download programs without permission.
In the event of a breach, having appropriate incident response and continuity plans are key to survival in recovery.
"Getting all of your executives together in a room who have never been through a breach before is just about the worst thing you can do," said Clerici, describing the panic and finger-pointing that typically ensue from executives of underprepared companies.
Management needs to be adequately trained both in knowing who to contact and what steps to take post-breach, and in how to reach out to customers whose information may have been compromised.
"Everybody has to practice their parts, and you have to practice because there can be a lot of missteps and miscommunications that can threaten you legally, financially and otherwise," William Klumper, consultant at FirstStep Software Systems, said during an MBA Tech panel.
Institutions can further protect themselves by minimizing what information gets stored. Basically, the less information out there, the lower the possibility for a breach.
Often overlooked are simple things like having full descriptions of executives on a website, which tell hackers who to target, and even enabling out-of-office email messages.
Out-of-office messages are essentially a data breach because they are giving away information and telling hackers exactly what they want to hear, according to Klumper.