Cybercriminals always target the weakest parts of a company’s cybersecurity infra- structure and, for many institutions, including mortgage companies, that weak link happens to be their e-mail communications.
Because of the massive amounts of private information that’s exchanged between borrowers and mortgage originators, e-mails are a data treasure trove for hackers. Tax information, Social Security numbers, bank accounts and a wealth of personally identifiable information that can be sold on the black market can be found in a mortgage company’s e-mail system.
There’s also the mortgage company’s human-resources department, which stores all of the personal information for company employees. E-mails are a gold mine for a company’s confidential business plans, making them perfect for corporate espionage. Some mortgage companies may be slow to adopt cybersecurity measures, but there are a few surefire ways for them to strengthen their digital infrastructure and protect their clients, employees and company information.
This past January, it was discovered that millions of banking and mortgage documents were left unprotected in two unsecured servers run by a Texas-based analytics company. The files contained highly sensitive information such as names, addresses, Social Security numbers and more.
It’s not clear how many cybercriminals accessed this information before it was secured. But this was far from a one-off event. The massive leak is endemic of a finance sector that isn’t up to date with cybersecurity standards.
The catastrophic breach of Equifax that exposed the credit card numbers and data of 143 million consumers may be the most famous leak in recent history, but there are much smaller — yet just as damaging — leaks that happen frequently within financial institutions. Verizon’s 2018 Data Breach Investigations Report showed that the financial sector (including mortgage companies) sustained 146 breaches and nearly 600 security incidents in 2017 — concerning figures considering that the mortgage industry handles some of the most sensitive consumer information from all over the country.
There are cybersecurity regulations in place for financial institutions, including several federal laws that regulate consumers’ general privacy and financial information, a handful of state laws regulating financial cybersecurity and even a few guides to help financial institutions manage the risk of working with vendors.
One of these is the New York Department of Financial Services’ cybersecurity law, also known as 23 NYCRR 500, which imposes a number of requirements for financial institutions licensed to operate in the state of New York. Third-party service providers working with these institutions also were required to comply with the law as of this past March.
Among other measures, the law requires financial institutions to implement a cybersecurity program that includes encryption, multifactor authentication, risk-factor management and employee training. Noncompliance with this law could cause a financial institution to be fined up to $250,000 or lose their license.
There are a number of ways for mortgage companies to implement cybersecurity measures for their e-mail systems, whether or not they’re legally required to.
Training. Companies should hold regular training sessions to teach staff the basics of network and information security. Over time, employees can effectively screen suspicious e-mails and attachments. Companies also should teach employees how to effectively manage different devices, responsibly utilize multiple passwords and properly use cybersecurity tools. Of course, human error is still inevitable. Thankfully, cybersecurity has evolved, leading to a number of tools that are stronger, more user-friendly and easier to integrate into a business’s communication model.
Encryption. This is a way of scrambling attachments or the contents of an e-mail until a unique code is provided. It’s considered to be one of the most effective ways to protect e-mail communications, but it has yet to come into widespread use. It has been said that encryption is inefficient and too cumbersome to use daily, but a simple solution would be to implement an encryption service that integrates smoothly with your company’s e-mail service. Regardless of which encryption service a business uses, it should ensure that the encryption works for both sender and recipient.
Multifactor authentication. Although having unique, complex passwords is essential for a secure business, it’s no longer enough. Adding another layer of protection with multifactor authentication has become necessary. Multifactor authentication is a way of protecting an e-mail’s content by requiring two or more unique keys to be provided. The keys are usually sent to a separate personal device, like the receiver’s cell phone. With multifactor authentication, even if a hacker manages to discover an employee’s e-mail password, they won’t be able to access e-mails with sensitive information.
Tracking. The Verizon data-breach report mentioned above found that phishing was the third most-common method hackers use to gain access to a company’s warehouse of information. Although most people associate phishing attacks as cheap scams, they’re becoming increasingly sophisticated. In fact, some of the biggest hacks in recent history were due to an employee clicking a link from a hacker impersonating a supervisor or coworker. Some hackers are clever enough to send e-mails from addresses with a one letter difference from an employee’s supervisor.
A tracking service can put an end to that by showing, in detail, the location an e-mail was sent from, who sent it and other important information. In addition to helping employees easily spot a potential phishing scam, a tracking service also can help employees ensure that their messages aren’t ending up in a spam folder and that they’re being read by the right people.
Postmarking. There are several companies out there that act as a kind of digitally certified e-mail service, allowing businesses to send sensitive documents in a secure and protected way. Considering the documents typically sent by mortgage borrowers over e-mail, such as tax forms and bank information, a digitally certified e-mail service can make all the difference.
• • •
Data breaches and leaks shouldn’t happen in the financial sector. When mortgage companies don’t shore up their cybersecurity defenses, they risk more than significant fines and penalties. With the new regulatory laws in place, noncompliance could subject their company to civil litigation. But mortgage companies also could lose something even more invaluable — their clients’ trust.
Clients rely on mortgage originators to protect their precious information, and that trust should be honored. Now that the mortgage industry is becoming increasingly digitized, protecting consumer and employee information should be considered one of its biggest priorities.