Cyber security is now a top issue for mortgage CEOs. The mortgage industry is particularly vulnerable to digital breaches because of the number of parties involved in the sharing of sensitive data. They are attractive targets for criminals because applications for mortgage loans request more personal and sensitive information than applications in any other industry. Criminals know that there is a wealth of information being shared between third parties, and the opportunity to steal financial and personal information.
Security professionals agree that cyber criminals usually fit into one of three groups: so-called hackivists, organized crime participants, and foreign nationals.
- A hackivist usually has a social or political agenda, and is driven by the need to publicly humiliate corporations to teach a lesson.
- Organized crime is in it for the money, and concentrate on identity theft and other schemes that will generate a profit. These threats pose an incredible risk to mortgage companies in particular, as they are specifically targeting consumer's financial information.
- Foreign nationals look to steal data to compromise intellectual property and information regarding potential investment plans.
Smaller companies may feel that they are not a target for these types of attacks, but any size business that leaves the door open for cyber criminals is inviting trouble. Hackers can use malware that may not be detected for some time, all the while continuously collecting sensitive information. Organized crime groups are very focused on financial fraud, and have become skilled at manipulating authentication mechanisms, allowing them access to many customer accounts.
Many times, the criminals targeting the mortgage industry have specific knowledge of how the industry works. The distributed-denial-of-service attack that hit Ellie Mae last year is thought to have been orchestrated by someone with expert knowledge of the industry. Although there was no data breach, and client information remained secure, it was a disturbing attack specifically constructed for the mortgage industry. Random attacks of this nature would usually be an invalid request that would spur a lot of failed attempts, whereas this particular attack was valid and had a normal signature.
Mortgage CEOs have become increasingly aware of the importance of cyber security, but there appears to be a disconnect between C-level executives and IT management. CEOs frequently have very little understanding of the security measures currently in place, and according to a report from Ponemon Institute, 80 percent of CEOs do not communicate with management regarding potential security threats. They look at how much money is being spent on cyber security and assume that everything is being handled appropriately. They are failing to understand that the company's security situation needs to be reviewed frequently and revised to protect against new threats.
One way that the communication barrier manifests is when IT personnel feel there is no way to adequately discuss technical security issues with C-level executives who are focused on overall business. When IT does attempt to explain cyber-security situations with executives, they may be delivering a weakened explanation in an attempt to make it understandable. C-level executives and IT management have to invest in regular communication that will keep everyone in the loop and allow for more thorough plans for responses to cyber attacks.
Another issue affecting response to cyber attacks is cost. Although mortgage CEOs are spending money to prevent it, much of that investment is not going toward the response of an actual attack. Ponemon Institute's report shows that half of the respondents claim that less than 10 percent of their security budget is marked for incident response. This is happening because of the communication problem with CEOs. If they are not aware of the impending problems from an attack, they cannot appropriately prioritize funds for dealing with said attacks.
IT management in mortgage companies must develop better communication with CEOs in order to appropriately protect businesses. Disturbing numbers from Ponemon Institute's report show that 68 percent of respondents had suffered a security breach within the last two years, and half of that group determined that there was an imminent threat for another breach within six months. The report found that CEOs were not working with IT and security personnel to develop better cyber-security plans because IT was not escalating the issues and explaining how likely future attacks were.
Please contact us to learn more about protecting your mortgage company's sensitive information.