Mertens calls digital risks “uncaptured liabilities,” and insists that understanding cyber risk as part-and-parcel of business risk means companies must reconcile network and endpoint vulnerabilities with a more nuanced financial accounting. “If you have a loan portfolio, you have a statistical understanding of what that risk looks like as kind of a liability,” he says. “But, what’s the on-paper value of a hacker getting into the network?”
Nouguier hopes that aggressive reporting requirements by the Securities and Exchange Commission (SEC), Ginnie Mae, and state regulators like the New York Department of Financial Services (NYDFS) will force companies to develop a more mature security posture.
When a breach happens to a mortgage company operating in New York, for example, failure to inform regulators incurs a hefty fine, and possible loss of licensure. The NYDFS also requires annual attestations as to a company’s cybersecurity protocols. At 48 hours, Ginnie Mae has instituted the shortest breach notification window of any federal mortgage regulator. The SEC requires publicly traded companies to report breaches within four business days of their knowledge of the breach.
And yet, many companies lack the infrastructure to identify or diagnose a breach so quickly. “It’s a hyper mature organization that can detect a cybersecurity incident that is material to them and go through an entire incident response program in 48 hours,” Nouguier says. “Mortgage companies are looking at this saying, ‘We don’t have this visibility inside of our organization.’ ”
The way cyber risks can impact mortgage companies also changes as technologies evolve.
“What’s kind of reared its ugly head in the last half-a-year or so is this third-party risk that is impacting organizations,” Nouguier continues. “The two largest things impacting the mortgage industry at this time is the human element, due to their public exposure, and third-party risk management.” Third-party risk management is more of a legal issue than a technical problem for mortgage companies using third-party technology providers to run their daily operations.
A mortgage company can be liable if a third-party provider is breached, even if not directly by fault, and regulators like Ginnie Mae and the NYDFS force their stricter standards on mortgage companies’ third-party providers. While forcing stricter standards on companies and third-party technology providers can drive a culture shift within the industry, there’s much to be desired when it comes to enforcing laws and auditing compliance to prevent cyber incidents, first of all.
Most state regulators charged with auditing mortgage companies are not even IT experts, let alone cyber experts. “They’re lawyers,” Nouguier says. “They’re not in-the-trenches IT and cyber people.” Submitted responses to a questionnaire is what’s being audited 90% of the time that regulators come knocking, he says.
When a breach occurs, “I don’t think that any regulatory body at this point is sending somebody into mortgage banks to understand what’s happening,” Nouguier continues. “It’s usually just questions that are emailed back and forth, and it’s based on what responses you give.”
State Regulators Slow To Adapt
In August 2023, Utah implemented new policies for reporting and protecting against cyber incidents. Bingham was directly involved in this process, offering his expertise as a consultant to Utah’s Department of Real Estate’s (DRE) Mortgage Commission. He says he had to push “pretty hard” just for Utah regulators to include breach notification requirements.
For an attack like that experienced by California-based loanDepot in January, “if that had only happened in Utah, you would probably never find out about it. It’s such a patchwork of different reporting laws that frankly falls really, really short,” he explains. The news of loanDepot’s cyber incident stemmed from a regulatory filing in Maine, where breach reporting is mandated.
If a mortgage company operating in Utah suffers a data breach now, they must notify borrowers as well as regulators. Other changes include deleting customer data when it is no longer needed and removing access to all systems for terminated employees. Employees not working in licensed branch locations must be provided with a VPN by their sponsoring entity.
An industry veteran of more than a decade, Gina Johnson is co-owner of Clearfield, Utah-based Lift Home Lending, and contributed to the state’s efforts as a DRE commissioner. Her involvement began at the tail end of the process, but Johnson has been implementing cybersecurity best practices at her company for years.
A friend of Johnson’s recently fell victim to wire fraud during a mortgage transaction. Not using Johnson’s company, he had been showing her documents throughout the loan process to glean her expertise as a second opinion. Then she received this text from him: “I just lost $190,000.”
He had wired the sum to a cyber criminal posing as his title company. Highly intelligent and armed with a Master’s degree, “he’s not your victim that’s like 75 and doesn’t know how to use a computer,” Johnson says. Nevertheless, he is one more data point proving that any borrower can fall victim to cyber crime, as can any business. Her friend was doing business through a local credit union and a local title company, as opposed to a large, national company.
A day-one conversation with every client of Johnson’s includes a lecture on wire fraud and the safe transmission of documents. Despite Utah’s step in the right direction, though, Johnson and Bingham believe weak enforcement undermines the new rules. There are more than 6,000 licensed loan officers in Utah. When it comes to auditing a mortgage company operating in the state, ensuring the use of VPNs or testing their system for vulnerabilities, “I don’t think that’s anybody’s wheelhouse from the regulator standpoint,” Johnson says.
Third-party experts like Bingham bridge a knowledge gap within the department, advising on policy and enforcement procedures. But, a lack of technical expertise impedes state regulators’ ability to be proactive. Bingham has worked with regulators who admit to not knowing how to assess companies’ efforts at implementing cyber protections — they just mark the sheet that the company has done so.
“They have investigators who will go out and conduct investigations,” he says. “These investigators are not IT professionals. They’re not cyber security professionals.” Un-technical regulators trying to fix technical problems “is going to create issues for a while” until regulators decide “that should be part of the job description” — and can afford salaries for those experts.
The regulatory bang has to be worth the regulatory buck.
“No five-person shop is getting audited by whoever’s supposed to be enforcing the Gramm-Leach-Bliley Act safeguards rule,” Bingham continues. “It really comes down to the states to get their act together.” While Washington, Utah, New York, and North Carolina have been proactive, he says, others have been less so. Listing the states doing poorly is difficult.
“A lot of them are just not doing much of anything,” he says. “That’s about as bad as it gets.”