The FBI defines ransomware as a type of malicious software that prevents an authorized user from accessing their computer files, systems or networks, and demands that you pay a ransom for their return. Ransomware attacks can create debilitating disruptions to business operations, and the loss of critical information and data. Users often accidentally expose a business to these attacks by opening an email attachment, clicking an ad, following a link or visiting a website embedded with malware.
The problem of ransomware is growing across all industries, particularly the financial-services industry. Unfortunately, the commercial mortgage industry is not immune from these attacks.
Once a ransomware code is loaded onto a computer, it will lock access to the computer itself, or to the data and files stored within. More sophisticated versions of ransomware can encrypt files and folders on local drives, attached drives and even other networked systems. Many times, victims of ransomware do not know their systems have been infected until they can no longer access their data or until they receive a cryptic message notifying them of the attack and demanding ransom payments.
According to recent filings with attorneys general in Vermont and California, mortgage servicer SN Servicing Corp. was hit in October 2020 by a massive ransomware attack. The company immediately locked down the affected systems and engaged a third-party team of forensic experts to determine the impact on its clients. The ransomware reportedly affected billing statements and fee notices to customers from 2018, including names, addresses, loan numbers, balances and billing information.
Mortgage servicers and processors are especially vulnerable to ransomware because of what is stored in their systems. They maintain databases of personal and sensitive information. They move large volumes of money. They hold critical documents that relate to financial transactions and their work is often time-sensitive. All of these are recipes for vulnerability to ransomware.
Various malicious cyberattacks fall under the broad definition of ransomware and its evil cousin, extortionware. What ransomware and extortionware have in common is that an attack is generally motivated by money — and to get this money directly from the victim.
Although hacking schemes typically try to steal data to use or resell, ransomware is launched with the intention of hijacking a system so that the victim will pay a ransom. Once the ransomware is deployed, the hijacker can block the victim from regaining control by deploying the same tools normally used to protect systems, such as data encryption, access control and authentication.
A mortgage company will know when it has been hijacked by ransomware. Computers stop working or data becomes inaccessible, and there’s usually a cryptic message that demands the payment of ransom to some secret cryptocurrency wallet. If the ransom is not paid, the data remains locked up and useless.
A mortgage company that is the victim of ransomware also may receive a so-called “countdown” notice, whereby if payment is not received within a certain period (typically 24 to 48 hours), files, drives, networks or devices will be cryptographically locked. Ransomware has many variants and they work differently, but all have one main objective — to disrupt business activities so severely that an entity is willing to pay the ransom rather than pay the expenses of restoration and recovery.
Commercial mortgage companies can take steps to prevent ransomware attacks or mitigate their impacts. Some strategies are similar to those that prevent other forms of cyberattack or theft. They include intrusion detection and prevention, data segregation, anti-malware and anti-phishing strategies, and any other mechanisms to prevent or restrict malicious code.
In the special case of ransomware, however, mortgage companies should consider backing up data on a secondary server in a location away from the primary server. You also should plan for an attack and develop mitigation strategies, as well as regularly test your systems and train staff on how to respond to a ransomware attack. The average downtime from a ransomware attack may be as long as 14 days, but shortening this time from weeks to days or hours may be the difference between paying millions in ransom or paying a much more manageable fee for restoration and recovery.
Anyone in the mortgage industry should have comprehensive cyber liability insurance. It should cover common cyber risks such as data breaches and online fraud scams, but it also should include coverage for the cost of paying — or not paying — ransomware demands. This can provide coverage for restoration and recovery, as well as for ransom payments and the legal costs associated with the investigation and response to the breach.
One of the more difficult and perplexing questions related to ransomware is whether you should pay the ransom. The first consideration is one of cost versus benefit or risk versus reward. If the cost of not paying the ransom in terms of downtime, reconstruction, recovery and revalidation substantially exceeds the price of the ransom, it is a rational decision to consider paying the hijackers.
The cities of Atlanta and Baltimore spent millions of dollars recovering from ransomware attacks even though the monetary demands in each case were in the thousands. Complicating these issues are recent opinions by the U.S. Department of the Treasury’s Office of Foreign Asset Control, the New York State Department of Financial Services and others suggesting that payments by victims of ransom may violate anti-money laundering laws and may even constitute support of terrorists or other criminals. So, naturally, you should consult with an experienced attorney prior to making a decision.
Also, a mortgage company may have other options. For example, it is sometimes possible to spoof the ransomware into not infecting critical machines, or to exploit vulnerabilities in the offending code itself to recapture data that would otherwise be irrecoverable. This underscores the need for a comprehensive plan to respond to ransomware.
As previously mentioned, ransomware attacks are usually different than data breaches, where the attacker attempts to steal and resell sensitive information. But there are gray areas. Ransomware is sometimes used to hijack and lock access to databases that store sensitive personal information, such as client names, Social Security numbers and financial information — the type of information typically held by mortgage companies.
When sensitive information is involved in a ransomware attack, you should treat this as a data breach. Unless you can demonstrate that there has been no unauthorized access to personal information, you should conduct a breach investigation as part of your ransomware response and you should complete the appropriate public notifications. Unfortunately, when sensitive information is breached, it can cost a company millions of dollars in damages and recovery time, depending on the extent of the exposure.
The mortgage industry collects, stores, processes and disseminates large volumes of sensitive personal and financial information, which it is legally required to protect. Ransomware attacks target mortgage companies because of the confidentiality and sensitivity of this data, as well as the time-sensitive nature of access to this data.
Commercial mortgage companies need to work with data-privacy and data-security professionals to create, deploy and train for a plan that will minimize the risk of ransomware attacks in the first place, and respond when they do occur. At this point, it’s not a question of if but when a mortgage company will fall victim to a ransomware attack. ●