Mortgage Software Solutions Blog

Business Data Security and Multi-Factor Authentication

 240_F_122590781_AfHycyjOI0sOqepiZ1DQVBYkZsH7qlRr.jpg Get an extra level of security with multi-factor authentication or MFA.

Each year, cybersecurity gets more complicated.

According to anti-virus developer Panda Security, the amount of malware created by cybercriminals is predicted to grow exponentially with each passing year.

Companies have to face the reality that a security breach has a serious impact on business.

To avoid the distress of company-wide damage control and a PR nightmare, it’s best to make sure security is in good shape.

Real Business Impact

For some businesses, consumer data handling is the main issue.

Financial institutions such as banks and mortgage companies are often targeted by hackers because they house the most personal information.

With major security failures like the Equifax breach of 2017 making international news, the finance industry’s cybersecurity worries are real.

More is at stake than information. A data breach can mean sales losses and a tarnished reputation that lasts for years.

From fines to fraud, there are monetary repercussions as well.

So what is the fastest way to tighten security on cloud-based and traditional networks?

Multi-Factor Authentication

Data breaches in single-factor authentication systems often exploit the system login credentials or passwords of users.

Multi-factor authentication or MFA is a group of security measures that go beyond the traditional password in order to correctly identify a person for system access.

MFA is becoming more prevalent in the financial industry. This kind of authentication was adopted by the Payment Card Industry Data Security Standard (PSI DSS) in February of 2017 and was listed as a standard for the mortgage industry in the State of New York in the same year.

Multiple factors mean heightened levels of information that only the user can provide.

These factors can be a number of different security measures. A “soft token” is when security software generates a one-time-use passcode sent to the user’s mobile device. This type of authentication can also be executed with a text message, phone call, or an email with a hyperlink.

Other factors run the gamut from predefined security questions to biometric identifiers like fingerprints or facial recognition software.

Only the correct user knows the information or is in the circumstance to receive the passcode, so using MFA means only the approved user is given access.

The Modern Office

Another issue with security is the modern office environment.

There are a growing number of remote workers. Employees want access to work-related applications from outside the office.

In this mobile workforce, employees are moving off of network-approved computers and onto personal or public machines. It’s up to the IT department to facilitate their work and make sure they go through a heightened level of security checks.

MFA is an authentication strategy that allows IT to deliver this level of remote access. It solves the problem of identifying recognized employees while maintaining a solid defense against intruders.

User Experience

The final consideration when implementing cybersecurity measures is user experience.

With higher scrutiny comes a higher level of annoyance by the employee at having to prove their authorization.

IT staffers need to balance security measures with user convenience.

One development that improves this balance is “adaptive” MFA. This security technology evaluates the risk factor of the user and then adapts the number of factors required for entry to the system.

An employee using a company-issued laptop at a café with an IP address across the street from headquarters is considered a low-risk access attempt. This situation does not require extra security measures.

On the other hand, if someone is trying to gain access on an unrecognized device in a location where the company doesn’t have an office (e.g. employee is attempting to do work on her tablet while vacationing in Bali) then the number of factors required will be at the maximum level. The employee jumps through some hoops, but with an understanding of why.


Data breaches are happening at the enterprise level at an alarming rate. A watchdog organization called Breach Level Index estimates that every second, an average of 57 records are stolen.

Employees are moving towards a more mobile work environment with wide geographic distribution.

For companies who handle consumer data, implementing MFA is simply one of the most effective ways to crack down on security violations and keep up with the modern workplace.

Businesses that use the MortgageWorkspace management software by ABT are protected by multi-factor authentication and a host of other cybersecurity measures. Contact us to learn more.

Topics: social networking safety phishing multi-factor authentication cloud storage mortgage business Compliance for Mortgage Companies Compliance Audit cloud-based data Housing Market Mortgage Lending

Guide to New York’s Cybersecurity Regulations

The deadline is less than a month away.

As February 15, 2018 draws near, financial institutions in the state of New York are scrambling to comply with cybersecurity regulations that are new to the industry and unprecedented in the state.

Released in early March of last year, Part 500 of Title 23 or Cybersecurity Requirements for Financial Services Companies (2017) is a 14-page document detailing how finance companies will be legally required to protect nonpublic information in their computer systems.

These regulations were implemented by the Department of Financial Services (DFS) citing security risks and the “ever-growing threat” of foreign nation-states, terrorist organizations and cybercriminals. The DFS Superintendent’s office will be overseeing compliance with the new laws aimed at safeguarding sensitive information that banks, credit unions, and mortgage companies keep on file.

As the zero hour approaches, here is a quick guide to the new DFS directives.

Cybersecurity Programs for All 

The main requirement is that all financial institutions under the regulation of the DFS are now required to create and implement a written cybersecurity program. 240_F_41316834_khRM1Linm358EZL0uiTOmQS2tyeankBN.jpg

With computer-based leaks making national headlines, New York’s banks will be held to a high standard.

The main issue of information leaks is “nonpublic information” or data gathered about customers and clients that is not meant for public knowledge. This includes business information, identifying information, account numbers, and even medical information.

A “cybersecurity event” is any action or attempt of unauthorized access to this information.

Security Measures

The new DFS regulations specifically call for annual penetration testing and bi-annual vulnerability checks of all information systems.

This includes extensive recordkeeping of system activity. Each financial institution must keep transaction records for a period of 5 years and an audit trail that records at least 3 years of activity.

The DFS further urges permissions control for all software applications.

Policy Requirements

This new cybersecurity program that every institution must implement is subject to oversight. The regulations require that all policies be recorded and approved by a senior officer or the company’s board of directors.

The guidelines state that any policies laid down must address an extensive list of 14 distinct topics ranging from data governance to disaster recovery planning.

Beyond stating the goals of these new measures, the law requires that companies designate a Chief Information Security Officer (CISO) for in-house enforcement.

This individual is required to report in writing annually about security to the company’s board and will be held responsible in the event of a breach at the agency.

Risk Assessment

Beyond coming up with a plan, the new regulations require action.

Financial institutions must run a complete risk assessment of their company. The assessment must be documented and it should include an evaluation of the adequacy of the existing access controls.

By law, this assessment must be carried out by qualified cybersecurity personnel. To avoid passing the buck, companies who hire out for the job must still exercise due diligence in evaluating the adequacy of the third party’s own security practices.

The law makes it clear that the financial institution itself will be held responsible for the integrity of their new program.

Other Regulations

There is a host of supplementary details in the document that outline currently-held security precautions across the information systems industry.

For example, multi-factor authentication for network access, a time limit on data retention, and regular cybersecurity awareness training for all personnel are all part of the regulation.

Encryption guidelines are spelled out and become subject to annual review by the CISO.


The final issue addressed by the new regulation involves communication with DFS. The superintendent’s office places a strict time cap on security breach announcements. A company has no more than 72 hours to report any event that has a “reasonable likelihood of materially harming the normal operations” of the company. 

Serious events like this have always fallen under reporting laws to local supervisory bodies. Under the new law, these events will be taken up the chain of command to the Superintendent’s office immediately.  

As of last year, New York is taking cybersecurity seriously. With such strict laws, it’s understandable that financial institutions have been slow to enact changes. After the year-long cushion, the new regulations are set to be enforced and financial institutions will be held responsible if they don’t comply.

14 pages of detailed requirements are on the books. As the transition year comes to an end, banks, mortgage companies, and credit unions are under the gun to make it happen.

Are you a CIO?

Has your institution taken the proper steps for system security?

For comprehensive compliance guidance and other cybersecurity solutions and, contact us.

Topics: DocumentGuardian cloud storage mortgage business mortgage regulations Compliance Audit Mortgage Lending DFS 23 NYCRR Part 500 NYSDFS

Cloud Storage Reduces IT Costs and Improves Scalability for Mortgage Companies

Mobile phone in hand

Those of you who've worked in the mortgage industry for the last two decades know how much has changed in just the last five years. Technologies have evolved quickly to provide more ways to accomplish tasks, including superior organization. Despite this, you've perhaps balked on finding ways to reduce your IT costs. Doing things the same way is perhaps hard to break after being in business for over 20 years.

Don't become complacent, because many IT solutions are affordable and necessary.  Security should be paramount when storing client information.  Today's software is being written to comply with the latest regulatory requirements and not all of it is expensive either.

With a rise in cloud and mobile technologies, you can do so much more while paying less. The same goes with scalability.

Using Automation to Improve Client Communication

When you look at the biggest challenges facing mortgage organizations like yours, client communication is at the top of the list. In a time when you likely have to compete with other lending agencies a short distance away, you need to keep your clients loyal.

The way forward is to use automation to gain efficiency. The older methods of reaching your clients only by phone can frequently lead to delays. Consider other communication methods, texting for example may be the best way to shorten the business cycle.    

Automating your communication will allow you to reach your clients faster and provide the ability to personalize content for more sucessful lead generation. Through affordable mobile technology and automation, you can send information at key times to your existing or prospective clients. Doing so educates them on their mortgage options.

Using the Cloud for Data Storage and Retrieval

We noted a while ago that cloud security is the future of all mortgage companies. After saying this over two years ago, it's a fact now, and a must to prepare for the unexpected.

Considering on-site servers can easily become hacked, you need to upgrade to the cloud to keep yourself compliant with client data. While cloud pricing varies depending on needs, it still reduces cost because you're eliminating maintenance on your own servers.

During disasters, you're also preparing yourself for business continuity. You can access anything in the cloud 24/7 as long as you have an Internet connection. When a disaster strikes, you can retrieve all client information immediately to keep your lending business on its feet.

The Use of Mobile Apps to Simplify the Lending Process

Many home buyers want to simplify how they obtain a mortgage without all the protracted steps. Creating a mobile app to make the process easier helps remove complex steps otherwise increasing your operating costs.

An app gives your clients more control over the time it takes to get a loan and the terms they want. Despite apps requiring design time, they'll pay off long-term thanks by increasing business and gaining your customers' trust.

Transparency is an important aspect to lending today. Allowing this through mobile technology is essential, as long as you have quality IT management in place.

Scaling Your Mortgage Company

To keep up with demands, you can do a lot of practical things to scale your mortgage business. If you're short on clients, Zillow reminds using CRM software can often help connect better with potential customers. Also redesigning your website and starting a blog can get home buyers more interested.

During times when you just need to find room to expand data, the cloud can scale quickly for you. This eliminates having to depend on other risky storage methods. When you want to scale due to unexpected growth, you can do so with the cloud, plus still have room for further growth down the road.

At Access Business Technologies, we provide game-changing technologies and tools to help your mortgage business reduce costs while still growing. Our MortgageWorkspace product allows you to scale quickly and securely by putting your business into the cloud. It offers efficient ways to keep your data compliant using intuitive dashboards and admin tools. Learn more about how MortageWorkspace can make the mortgage process easier for your employees and customers by scheduling a call with us. 

 Schedule a Call




Topics: Compliance Cloud Mortgage Servicing Cloud Computing MortgageWorkSpace cloud storage

10 Reasons Why Cloud Storage Is Safer

why-cloud-storage-is-safer.jpgWhere is the safest place to store a valuable item: in a locked box in your home, or in a safe deposit box at a bank? It should be obvious that something of value will be better protected at a bank, even though it's out of your immediate possession. Banks have better security procedures, trained staff, and less penetrable physical structures.

The same concept applies to your data storage. Storing loan application information on a desktop computer at your office exposes it to significantly more risk than entrusting it to a reputable cloud service. Breaches in security, mostly caused by haste or lack of experience, have caused numerous compromises of mortgage data.

Let's look at some of the reasons why cloud storage can offer better security to a mortgage business:

  • Cloud facilities are physically secure; your building is not. Anyone who walks into your office can see what machines you’re using. Even with normal building security, someone might be able to sneak in after hours and tamper with a computer or steal a hard drive. Even someone surreptitiously plugging in a malicious USB stick during business hours might be enough. Cloud facilities are in locked buildings that allow few visitors and have careful check-in procedures at all times.
  • Data on a cloud server is always backed up. Your data will be stored in more than one location at all times, so a disk failure or even a disaster in one place won't wipe out your information.
  • Your data is isolated from other software. On a desktop system, the general rule is that any of your software can access any of your files. A weakness anywhere in your system can compromise confidential customer data. On a cloud system, only authorized software has access to your data; there is no risk of email downloads or malicious web pages accessing your system.
  • Data transfer between branches is secure. If you use ordinary email to send a document to a co-worker at another location, it passes through one or more mail servers without encryption and is vulnerable to interception. When you transfer data through a cloud service, it is encrypted both going in and coming out.
  • Cloud service software is always up to date. Keeping your operating system and software up to date all the time is a lot of work, especially when you have other work to do. But old software tends to have known security defects. Because a cloud business must provide the most reliable servers possible, it updates its software promptly and regularly.
  • A cloud service monitors its computers. Cloud service providers are always monitoring their hardware; if anything goes wrong, the problem is caught and remedied quickly. This same level of monitoring is nearly impossible to maintain at a busy mortgage office.

Aside from these technical factors, "people factors" also make the cloud more secure for mortgage companies than their own desktop machines:

  • Security is at the core of a cloud business. At a mortgage business, the first concern is mortgages. It's easy to neglect security for the sake of getting work done. For a cloud service provider, keeping data safe is the work they do.
  • Cloud servers don't engage in risky behavior. Unlike the average employee, cloud servers never accidentally open a spam email or browse websites out of curiosity. Even the most innocent click of a mouse can endanger your data.
  • A full-time staff is always ready to deal with problems. A cloud service utilizes monitoring software, which is always watching for breaches and suspicious activity. If the monitoring software detects something has gone wrong, trained staff members will deal with it quickly. On your local computer, if a breach occurs outside business hours, the attacker might have hours to exploit it before anyone notices.
  • A specialized cloud service provider has security expertise tailored to your industry. When you choose a cloud service that specializes in your area of business (e.g. finance), it employs experts who understand the risks and requirements that are specific to handling your type of data.

Of course, everything we have listed here assumes that you're dealing with a reputable, competent cloud service provider. Anyone can claim to provide "cloud computing," but you have to know what you're really getting. Using insecure cloud services to transfer loan documents is actually the riskiest way to transfer them—even worse than email. Consumer-quality file sharing systems and cloud systems specifically designed for security are two completely different things.

You need a service with a strong reputation for security and privacy. Even your own access to the service should entail strong security protocols. You need a written guarantee that the service will protect your data from unauthorized access. And for finance-related businesses, the service needs to satisfy all applicable regulations and guarantee security compliance.

At Access Business Technologies, we understand the mortgage business. ABT provides a cloud-based platform called MortgageWorkSpace®, which meets all of a mortgage company's storage and security needs. MortgageWorkSpace® meets SSAE 16 Type II standards and meets or exceeds all regulatory requirements, while still granting secure access to authorized users from any location. Contact us to learn more.

Learn More

Topics: cybersecurity cloud storage