Last year’s SolarWinds hack that targeted U.S. government agencies serves up yet another warning to financial-services companies. Even if you think your computer systems are locked down, you are only as secure as your weakest link.
Many of the largest data breaches are the result of problems with a third party that has either direct or indirect access to your data. The SolarWinds hack — which reportedly impacted 18,000 companies and several U.S. government agencies — was the type of third-party hack that the commercial mortgage industry must be prepared to face.
Let’s assume that your commercial mortgage company has taken information security seriously. You’ve had an independent security assessment, identified your vulnerabilities and fixed them. You lock down your wireless access points, have good authentication with multiple factors, encrypt communications and data in storage, and follow the cybersecurity framework set by the National Institute of Standards and Technology (NIST).
Furthermore, you train your key personnel and have endpoint protection, strong firewalls, and anti-malware and anti-phishing software. Remote employees log in through secure sessions using tokens. You even have cyber-liability and data-breach insurance in case you fall victim to attack. You’re doing a great job. But, despite these efforts, you are hit by an attack. Often, the problem originates from a trusted third party.
Third-party risks
Let’s face it, one of the greatest benefits of the internet is to make it easier to collaborate. In the commercial real estate market, mortgage brokers need to communicate with borrowers, sellers, lenders, title companies, closing attorneys, insurers, assessors, government regulators, zoning officials and others. Not only is information transmitted back and forth, but data, files, programs and other forms of access to networks and systems are created and used.
In addition, all types of third parties either connect to your network or connect to data that is stored on your network. This can include IT vendors, cloud providers, data analysts, human-resources processors, or even such mundane third parties as office cleaning crews or maintenance personnel. There are a few things you should do to prepare for the threats of third-party access or vulnerabilities.
First, know who these third parties are. Maintain an active list of companies with access to your data, systems and building. Identify the companies that you depend on for access to the internet, for storage and retrieval of data, and for data analytics. How does data — particularly personal data — flow into and out of your organization? Are you using cloud storage or software as a service? Do you use external services for research, marketing, or the servicing or processing of documents? Any of these present a possible avenue of attack.
Rule setting
Second, you should insist that third parties have independent security assessments. Every entity with which you work, particularly those with access to your network, should be required to have an independent, outside security assessment — at least on an annual basis. But that’s not enough.
The assessor needs to be certified and qualified to conduct the assessment, and you need to agree on the scope and standards for the evaluation. At a minimum, the assessment should include any systems or processes that might impact your business or data, and it should be modeled on the NIST cybersecurity framework standards.
You also should insist that third parties act on the recommendations of your assessor. It’s not enough for the third party to have an assessment — they need to be committed to actually fixing the problems.
Also, review contract clauses. The best way to get third parties to do what you’re requesting is by contract. This agreement should specify that they need to protect your data, conduct assessments and act on them. Impose liability for failing to protect data, and require them to have sufficient insurance to cover you in the event they are liable for a data breach or business interruption. Make them responsible for lawsuits or claims against you by clients that resulted from the vendor’s negligence or failure to act.
You also need to establish clear rules with vendors. Whenever you are dealing with a third party, make sure you set out the responsibilities of each party. This establishes what data they can get from you and what they can do with it. The third party will be expected to report data breaches and cooperate in investigations.
You also will need to secure your connections with third-party vendors. Data transfers or data access should include reasonable security and authentication. For sensitive wire and funds transfers, you’ll need to establish protocols. For example, you can require that all funds transfers (or transfers above a certain dollar amount) require validation by phone, voice verification or some other secure means.
Employee training
Make sure that your employees, as well as third-party employees and agents, are trained to spot security events and incidents (including phishing attacks). Many attacks are made by people masquerading as trusted third parties. Your first line of defense is to train employees to be skeptical.
Commercial mortgage companies also should obtain insurance. Make sure that you have comprehensive insurance that covers not only data breaches but the loss of critical data, the loss of access to critical data, ransomware attacks, social-engineering attacks and malicious funds transfers. The insurance should cover losses to you resulting from attacks on third parties, as well as losses to third parties (including clients) stemming from attacks on you.
Lastly, make sure you cooperate and communicate with third parties to remain informed. Keep an eye out for new threats and vulnerabilities, and make sure vendors know how to contact you.
None of these steps are perfect remedies against third-party attacks, but a comprehensive information-security and data-privacy protection plan can significantly reduce your risks. Remember that you are only as secure as your weakest link, so it’s up to you to monitor the situation and ensure that the links remain unbroken. ●
Author
-
Jeffrey Bernstein is the director of cybersecurity and compliance advisory services for Kaufman Rossin’s risk advisory consulting practice. Kaufman Rossin is a certified public accounting firm that provides professional services to businesses, organizations, institutions and their leaders. Bernstein advises clients in highly regulated industries on the protection and compliance of their networks, applications, systems, data, devices, people and property. Follow him on Twitter @Jeff_Bernstein1.