October is National Cybersecurity Awareness Month and, boy, is the financial services world more than aware of the subject! The news that JP Morgan Chase & Co. experienced a data breach that may have compromised information for 76 million households and seven million small businesses was extraordinary, and the attack continues to resonate.
Right after the news of the data breach struck, there was (not surprisingly) a political response. Reuters reported that two state attorneys general—Connecticut’s George Jepsen and Illinois’ Lisa Madigan, both Democrats seeking re-election—have begun investigations into whether sensitive data was stolen in this cyberattack. In Washington, Rep. Maxine Waters (D-CA), the Ranking Member of the House Financial Services Committee, demanded that her committee’s Republican leadership use this data breach to push for greater cybersecurity controls.
“The massive data breach announced yesterday at JP Morgan Chase serves as a pressing reminder that more must be done to strengthen data security across the financial system and protect consumers’ sensitive financial and other personally identifiable information,” said Waters in a statement. “Holding hearings on data security every few years just isn’t good enough. The time for taking action is past due. Congress must move to bolster data security requirements and strengthen consumer protections that ensure victims are notified in a timely manner when their financial and personal information is stolen. As private companies continue to amass an ever growing trove of consumer’s personal data, I call on the Republican leadership of the Financial Services Committee to take seriously their responsibility to ensure consumers are adequately protected.”
Fears of cyberattacks have weighed on the mortgage industry for a long time. In January, the Schaumburg, Ill.-based cybersecurity firm HALOCK Security Labs announced the findings of its investigation of 63 U.S. mortgage lenders—and the company found that over 45 (70 percent) permitted applicants to send personal and financial information over unencrypted email as email attachments, including tax documents and W-2's. Eight out of the 11 top U.S. lenders were found to allow for the same unsecure practices as smaller lenders.
And the problems weren’t unique to computer transmissions: Nearly 70 percent of the surveyed lenders encourage faxing sensitive data—which may reduce the change of a digital breach, but is nonetheless no guarantee of encrypted safety.
“As the public becomes more demanding of their banks to ensure privacy and security, it's no longer feasible to rely on unsecure email for the transfer of financial documents," said Terry Kurzynski, senior partner at HALOCK Security Labs, during the announcement of the company’s findings in January. “Any type of weak link in a system involving sensitive information exposes people to unnecessary risk. It takes months to recover from an identity theft and minutes to log into a secure portal—do the math!”
Within the mortgage world, there is an apprehension that cyber attacks of the JP Morgan Chase-level severity can occur have become the new normal.
“These data breaches are going to get worse and worse, unfortunately,” said Sanjeev Dahiwadkar, CEO of Columbia, Md.-based IndiSoft. “Private companies in the U.S. are equally as vulnerable as government agencies – they are seen as being symbolic attacks on U.S. capitalism. U.S. businesses have more vulnerability than other business in other countries.”
Dan Jones, vice president of technology at Brentwood, Tenn.-based Churchill Mortgage, believed that mortgage companies are especially vulnerable to cyber intrusions.
“We collect as much sensitive data about people as any other industry,” Jones said. “We collect Social Security numbers, employment data, credit card numbers for running credit reports – we have a complete financial profile of someone who goes through the mortgage process.”
Jones added that smaller originators should not be lulled into thinking that the cyber crooks are only interested in mega-corporations like JP Morgan Chase.
“It is just a matter of time before someone gets hit,” he said.
Eric Robichaud, CEO of Woonsocket, R.I.-based 401 Consulting, agreed.
“These continued, massive breaches are demonstrating that nobody is immune,” Robichaud said. “By the very nature of the systems, if there is access to the information, then it's accessible.”
But this raises the obvious question: What can be done to stop these types of attacks? For Robichaud, the answer lies in viewing the issue as an investment.
“Financial institutions need to think of cyber security not as an expense, but critical to their livelihood,” Robichaud said. “A breach can utterly destroy a smaller firm and put it out of business. That's worth hiring smart people to oversee security, investing in infrastructure, staying on top of latest best practices and implementing security changes quickly as the landscape evolves.”
Jones pointed to a rash of high-profile data breaches involving top retailers as a sign that there needs to a re-evaluation of the strength of the cybersecurity tools being employed. However, he also stressed that it was equally important to train internal staffs about the need to be vigilant to potential breaches.
“We got to do a good job of training people in the first week they’re hired about security,” he said, adding that was crucial for additional updated training as new threats emerge.
Dahiwadkar also pointed out that the industry should also re-examine cloud computing’s security issues, particularly in view of the recent scandal involving the hacking of private photographs within celebrity accounts.
“Apple, as great as a job they do, didn’t take seriously the personal password recovery mechanism,” Dahiwadkar said, noting the method that was used by cyber thieves to access the celebrity accounts while adding the mortgage space could learn from this situation in reconsidering its own password recovery processes.
