Data security precautions often focus on preventing a data breach. But what if those measures aren't enough and a breach occurs? From Target to Experian to HSBC, no industry is immune to the threat of a data breach. Indeed, cybersecurity must be an essential priority for the mortgage industry. Here's a look at steps lenders and servicers can take now to prepare their response in the event of a catastrophic data breach.
Create an Audit Checklist
When a breach is suspected, there are lots of things companies will need to check: What files were accessed? Where were they accessed from? What customer information was located the files? Creating an audit checklist ahead of time to use in the event of a data breach is critical. Making this checklist will also let companies know if they have the proper analytical tools in place. "Doing it now when things are calm will ensure nothing is overlooked in the frenzy that happens after a potential breach," said John Hurley, CEO of secure file management and transfer services provider SmartFile.
Get Cyber Liability Insurance — And Know How It Works
Data is not covered by standard property insurance policies, nor are common cybercrimes such as phishing scams and identity theft, according to MSPAlliance, the International Association of Cloud and Managed Service Providers. Having a cyber policy in place can aid lenders and servicers in restoring data if it is lost. It can also cover the costs associated with notifying consumers of a breach. But when a company gets cyber liability insurance, it's important it understands the rules and procedures. "They've got pretty strict guidelines on who they work with," said Bob Orkis, chief information officer at Fairway Independent Mortgage Corp. In particular, insurers may require policyholders to go through a certain sequence of steps to activate their coverage in the event of a breach, he said.
Maintain Robust Data Archives
If a lender or servicer's systems have been hacked, they must be prepared to save any evidence. "You need to preserve that evidence in the event someone wants to come in or someone has a lawsuit," Orkis said. Having a pristine copy of the system that's been hacked can also aid in an investigation. Not only does this involve having the proper tools and software in place ahead of time, but companies should also train employees so that they know not to override anything following a data breach.
Know the Law
How a lender or servicer responds and acts in the wake of a data security incident is largely guided by state and federal laws, which vary by jurisdiction. In some states, for instance, companies are required to notify the state police before contacting consumers, Hurley said. Companies will also want to notify the Federal Trade Commission and understand the agency's rules regarding data security to ensure compliance.
Make a Client Outreach Plan
Finally, mortgage firms need to figure out how they will contact borrowers and what they will offer them in the wake of a breach. This will vary based on the nature of the incident, but having a clear communication plan in place ahead of time ensures interactions with borrowers remain consistent. Lenders and servicers should also consider whether they will offer affected customers free credit monitoring or other forms of relief, such as a reduction in payments, in the event of a breach. Additionally, lenders and servicers should be ready to alert their vendors, since a breach of one system could potentially affect other companies that use that technology.