The number of mortgage servicers and lenders who have been the target of cyberattacks seems to be growing by the day and while there’s no indication as to why they have a target on their backs one expert is offering some advice.
Donna Schmidt, a default servicing expert and founder of WaterfallCalc, said it’s clear that the hackers are winning and forcing these companies to shut down their services in order to address the issues.
In recent weeks, three financial services companies — First American, Fidelity National Financial, and Mr. Cooper — have each disclosed separate incidents involving cybersecurity breaches and ransomware attacks. All three companies have notified government authorities and impacted parties.
“The mortgage industry is ripe,” Schmidt said.
She said mortgage servicers are in dire need of backup loss mitigation. She suggested two property preservation companies and better vendor control.
“Servicers that establish a backup loss mitigation service provider can more easily and swiftly move their loss mitigation activities to another platform when their primary provider is attacked,” Schmidt said.
The data breaches have exposed gaping vulnerabilities among residential loan servicers when their own system or a third-party vendor’s system is under attack, said Schmidt.
“There is no reason why loss mitigation activities cannot continue unobstructed even when a servicer or one of their partners encounters a serious data breach,” she added.
In each of the recent breaches the companies were forced to shut down some of their services in order to figure out how the breach happened and what - if any - information was taken. As a result, many lost business.
Schmidt said companies need to focus on their security as much as their finances, while increasing their redundancy and training practices.
Remote work presents an additional challenge to training, but in most instances these breaches happen because someone opens an email and clicks on a link, she added. However, the public is becoming aware of these incidents much more quickly than in the past.
The SEC’s new rules for public companies’ cybersecurity disclosures, effective as of Sept. 5, 2023, include “a requirement to disclose material cybersecurity incidents four business days after a public company determines the incident is material and a requirement to annually disclose information regarding cybersecurity risk management, strategy, and governance,” according to the SEC’s website.
