The Mortgage Industry’s Cyber Blind Spot

As new cybersecurity regulations take effect, smaller companies lack visibility into their own organizations

The Mortgage Industrys Cyber Blind Spot
Staff Writer

The disconnect Bingham highlights underscores what cyber experts see as an industry-wide complacency to build resilience against rising cybersecurity threats. Industry regulators are ill-equipped to implement and enforce cybersecurity policies. Indicative of this deeper problem, Bingham estimates that 90% of breaches at the mom-and-pop shops he serves aren’t reported.

“It’s very clear that up until this point, it’s kind of been ignored by regulatory agencies, both state and federal,” he says. Updates to the Gramm-Leach-Bliley Act (GLBA), which took effect in June 2023, provide a modern, federal framework for protecting consumer data. A handful of states have been proactive, passing their own cybersecurity regulations. Agencies like Ginnie Mae have instituted strict breach notification requirements.

It’s the deaf leading the blind, though, because the greatest cybersecurity threat mortgage company owners and operators face is their own reluctance to take the threat seriously. Cyber criminals, like most criminals, look for the path of least resistance. Don’t be your own worst enemy, experts say — it’s not about eliminating risk, but creating resistance.

“Turning a blind eye is just another term for risk acceptance,” says Michael Nouguier, chief information security officer and head of cybersecurity consulting services for Richie May, the mortgage industry-specific tax, audit, and advisory firm. Even following a recent spate of high-profile cybersecurity incidents impacting the likes of Mr. Cooper, Fidelity National Financial, First American, Fairway Independent, and loanDepot, Nouguier still hears from mortgage executives, “I don’t want to know because then I have to do something about it.”

Three years ago, it was difficult for Bingham to get mortgage professionals to listen to his warnings. As companies gradually incorporate cyber risk in their overarching business models, a gulf exists between top-down regulatory actions and bottom-up compliance efforts, forcing cybersecurity experts to ask a new question of the industry: which companies — and customers — are left behind?

“It Won’t Happen To Me”

The pervasive attitude among mortgage executives concerning cyber attacks is, “it won’t happen to me.” To that, experts reply, “until it does.” Because investing in cybersecurity does not directly correlate to the way mortgage companies make money, companies find it difficult to justify the expense. Experts say it must become part-and-parcel of operations.

“Lenders understand financial risk as kind of a foundational aspect of their business, but you really have to look at compliance risk and digital risk there,” says Craig Mertens, principal architect at High Gravity, a cyber consulting firm. Prior to High Gravity, Mertens spent a decade in “big consulting” for Accenture, working with healthcare, finance, and mortgage companies.

Michael Nouguier, CISO and head of cybersecurity consulting services for Richie May

From his perspective as a software architect and implementation specialist, “there’s a whole portfolio of risk liabilities that sometimes just kind of fall through the crack.” Companies know they need someone to lead, monitor, and audit their financial operations, which requires leadership and expertise to do so effectively. They still see a need for cybersecurity leadership and expertise as optional, despite their day-to-day financial operations becoming more digital.

During 2020 and 2021, mortgage companies grew exponentially overnight. As they grew, many invested in new technologies and platforms, including cybersecurity. As profits and savings dwindled over the past two years, cybersecurity spending was often one of the first expenses to be cut.

Bingham tries quantifying for clients how system breaches cost much more than preventative investments. “It falls on deaf ears unless regulation is pushing them that way already,” he says. Given the belt-tightening measures many companies have taken over the past two years, people tell him, “I practically don’t have a company to lose if someone were to hack me.” He doubts that logic would satisfy the borrowers whose data ends up on the dark web.

Helping companies overcome the expense of investing in cybersecurity was part of Bingham’s plan in starting LendSafe. His subscription-style pricing model scales with the size of the shop, with monthly pricing starting at $100 per office location, plus $10 per employee. He can operate at this lower price point because he was an originator — he knows how the industry operates, the digital tools companies use, the third parties they grant access to, and the regulations.

Many companies fail to realize that having cybersecurity protocols mitigates the impact of a breach, such as by reducing downtime after an attack. Demonstrating strong awareness of the risk also plays better than negligence in courtrooms. Ultimately, no company is too small to avoid being the target of a cyberattack.

“I get on the phone with owners of companies that are crying sometimes,” says Nouguier, “ ‘I don’t know what to do. Nobody can email. We’re losing money left and right. We can’t access our systems.’ Those things were truly not considered ahead of time.”

A Rising Cyber Risk

One client Bingham helped recently had an attacker in their email accounts for four months before being discovered. Imagine someone living in your attic all winter without you knowing.

“They had no idea that there was even someone in there,” he says. Every email sent and received was available to that intruder. He estimates that 10% of small brokerages have an employee with a compromised email account. He also estimates that simple actions like resetting passwords and requiring multi-factor authentication can mitigate 80-90% of all attacks.

Michael Nouguier

At the end of the day, most cyberattackers aren’t hacking in, but logging in. Most cyber criminals are opportunists — if a door is left ajar, they’ll push it open. Only very sophisticated hackers employ a digital battering ram to break down the door altogether. Rarely is a smaller mortgage company targeted with something like a “zero day exploit” — a vulnerability that Microsoft, say, or whichever company developed the vulnerable technology — does not know exists.

Mertens has consulted for small mortgage companies with 300–400 employees producing $150 million or less annually that experience tens of thousands of security events each day. “Security events are at a very granular level,” he explains. “There’s a huge amount of malicious activity going on just as drive-bys.” That number grows as the industry itself becomes more of a target.

Headline-grabbing ransomware attacks are typically orchestrated by sophisticated cyber criminals targeting larger lenders and servicers. Those attacks involve encrypting, stealing, and holding data for ransom — under threat of publishing the data online. Those attackers recognize that data is how mortgage companies, especially servicers, make money. Less sophisticated cyber criminals, which are most, experts say, target borrowers and businesses directly through compromised email accounts, phishing campaigns, and wire fraud.

“We’re seeing that a ton in broker shops and small, mom-and-pop shops,” says Bingham about the latter type of attack. “It’s like two originators in the company, and yet they have someone sitting on their emails, basically skimming all that information and then shooting out emails to borrowers as they get close to closing.” This happened to another client of Bingham’s recently.

He whittled down the cause to re-used passwords. “You don’t have to be smart at all,” Bingham continues. Most likely, a cyber criminal found the company’s passwords and correlated email address in a database on the dark web. Until the last year or so, companies and regulators have largely ignored these emerging cyber threats, especially for smaller mortgage companies.

However, the clients of smaller mortgage companies have the same right to data security as the borrowers who get a mortgage from Mr. Cooper or loanDepot. Bingham fears a lack of regulatory pressure on smaller shops threatens to leave those customers and companies unprotected, even as new federal and state regulations are being drafted and implemented.

Cyber Risk Is Business Risk

When Bingham was still originating and LendSafe was still in the planning stages, a conversation with a broker-owner confirmed his worst fears.

Bingham asked the man how his shop conducted business. “Over email,” the man said. How old was the business? “10 years old,” he replied. Had he ever changed his email password? “Never.” Did the man use multi-factor authentication? “Nope, none of that.” If I broke into your email, would I find 10 years of your borrowers’ documents? “I guess so.”

“One of the concepts that I’ve been preaching for years and years is that there’s no longer this segmentation between business risk and cyber risk. They all exist as one at this point,” says Nouguier. “You as an organization need to consider that technical cybersecurity risk as a part of your business risk.”

By their nature, he explains, cybersecurity risks pose a much more acute threat to companies than other business risks. Elevated interest rates impact a company over time. A tornado or wildfire destroying an office is an acute risk, but unlikely in most places. Online systems anywhere can be hijacked from anywhere and kept offline for days or weeks. Millions of dollars of lost revenue can be realized extremely quickly.

Mertens calls digital risks “uncaptured liabilities,” and insists that understanding cyber risk as part-and-parcel of business risk means companies must reconcile network and endpoint vulnerabilities with a more nuanced financial accounting. “If you have a loan portfolio, you have a statistical understanding of what that risk looks like as kind of a liability,” he says. “But, what’s the on-paper value of a hacker getting into the network?”

Nouguier hopes that aggressive reporting requirements by the Securities and Exchange Commission (SEC), Ginnie Mae, and state regulators like the New York Department of Financial Services (NYDFS) will force companies to develop a more mature security posture.

When a breach happens to a mortgage company operating in New York, for example, failure to inform regulators incurs a hefty fine, and possible loss of licensure. The NYDFS also requires annual attestations as to a company’s cybersecurity protocols. At 48 hours, Ginnie Mae has instituted the shortest breach notification window of any federal mortgage regulator. The SEC requires publicly traded companies to report breaches within four business days of their knowledge of the breach.

And yet, many companies lack the infrastructure to identify or diagnose a breach so quickly. “It’s a hyper mature organization that can detect a cybersecurity incident that is material to them and go through an entire incident response program in 48 hours,” Nouguier says. “Mortgage companies are looking at this saying, ‘We don’t have this visibility inside of our organization.’ ”

The way cyber risks can impact mortgage companies also changes as technologies evolve.

“What’s kind of reared its ugly head in the last half-a-year or so is this third-party risk that is impacting organizations,” Nouguier continues. “The two largest things impacting the mortgage industry at this time is the human element, due to their public exposure, and third-party risk management.” Third-party risk management is more of a legal issue than a technical problem for mortgage companies using third-party technology providers to run their daily operations.

A mortgage company can be liable if a third-party provider is breached, even if not directly by fault, and regulators like Ginnie Mae and the NYDFS force their stricter standards on mortgage companies’ third-party providers. While forcing stricter standards on companies and third-party technology providers can drive a culture shift within the industry, there’s much to be desired when it comes to enforcing laws and auditing compliance to prevent cyber incidents, first of all.

Most state regulators charged with auditing mortgage companies are not even IT experts, let alone cyber experts. “They’re lawyers,” Nouguier says. “They’re not in-the-trenches IT and cyber people.” Submitted responses to a questionnaire is what’s being audited 90% of the time that regulators come knocking, he says.

When a breach occurs, “I don’t think that any regulatory body at this point is sending somebody into mortgage banks to understand what’s happening,” Nouguier continues. “It’s usually just questions that are emailed back and forth, and it’s based on what responses you give.”

State Regulators Slow To Adapt

In August 2023, Utah implemented new policies for reporting and protecting against cyber incidents. Bingham was directly involved in this process, offering his expertise as a consultant to Utah’s Department of Real Estate’s (DRE) Mortgage Commission. He says he had to push “pretty hard” just for Utah regulators to include breach notification requirements.

For an attack like that experienced by California-based loanDepot in January, “if that had only happened in Utah, you would probably never find out about it. It’s such a patchwork of different reporting laws that frankly falls really, really short,” he explains. The news of loanDepot’s cyber incident stemmed from a regulatory filing in Maine, where breach reporting is mandated.

If a mortgage company operating in Utah suffers a data breach now, they must notify borrowers as well as regulators. Other changes include deleting customer data when it is no longer needed and removing access to all systems for terminated employees. Employees not working in licensed branch locations must be provided with a VPN by their sponsoring entity.

An industry veteran of more than a decade, Gina Johnson is co-owner of Clearfield, Utah-based Lift Home Lending, and contributed to the state’s efforts as a DRE commissioner. Her involvement began at the tail end of the process, but Johnson has been implementing cybersecurity best practices at her company for years.

A friend of Johnson’s recently fell victim to wire fraud during a mortgage transaction. Not using Johnson’s company, he had been showing her documents throughout the loan process to glean her expertise as a second opinion. Then she received this text from him: “I just lost $190,000.”

He had wired the sum to a cyber criminal posing as his title company. Highly intelligent and armed with a Master’s degree, “he’s not your victim that’s like 75 and doesn’t know how to use a computer,” Johnson says. Nevertheless, he is one more data point proving that any borrower can fall victim to cyber crime, as can any business. Her friend was doing business through a local credit union and a local title company, as opposed to a large, national company.

A day-one conversation with every client of Johnson’s includes a lecture on wire fraud and the safe transmission of documents. Despite Utah’s step in the right direction, though, Johnson and Bingham believe weak enforcement undermines the new rules. There are more than 6,000 licensed loan officers in Utah. When it comes to auditing a mortgage company operating in the state, ensuring the use of VPNs or testing their system for vulnerabilities, “I don’t think that’s anybody’s wheelhouse from the regulator standpoint,” Johnson says.

Third-party experts like Bingham bridge a knowledge gap within the department, advising on policy and enforcement procedures. But, a lack of technical expertise impedes state regulators’ ability to be proactive. Bingham has worked with regulators who admit to not knowing how to assess companies’ efforts at implementing cyber protections — they just mark the sheet that the company has done so.

“They have investigators who will go out and conduct investigations,” he says. “These investigators are not IT professionals. They’re not cyber security professionals.” Un-technical regulators trying to fix technical problems “is going to create issues for a while” until regulators decide “that should be part of the job description” — and can afford salaries for those experts.

The regulatory bang has to be worth the regulatory buck.

“No five-person shop is getting audited by whoever’s supposed to be enforcing the Gramm-Leach-Bliley Act safeguards rule,” Bingham continues. “It really comes down to the states to get their act together.” While Washington, Utah, New York, and North Carolina have been proactive, he says, others have been less so. Listing the states doing poorly is difficult.

“A lot of them are just not doing much of anything,” he says. “That’s about as bad as it gets.”

This article was originally published in the NMP Magazine December 2024 issue.
About the author
Staff Writer
Ryan Kingsley is a staff writer at NMP.
Published on
Dec 16, 2024
More from NMP Magazine
NMP MAGAZINE
Another Trip Around The Sun

NMP sat down with STRATMOR’s Garth Graham about how 2025 will usher in new market dynamics

Erica Drzewiecki
NMP MAGAZINE
L.O. To The Rescue

Saving the day, one loan at a time

Erica Drzewiecki
NMP MAGAZINE
Happiness Is An Inside Job

The choice to be positive about your life is yours to make

Harvey Mackay
NMP MAGAZINE
Mortgage Lenders Are Key To Financing Stacks

Low-income tax credit financing brings traditional lenders into crucial role

Lew Sichelman
NMP MAGAZINE
Renewals, New Beginnings, And Closing Out Chapters

Taking the drama out of annual planning

Erica LaCentra
NMP MAGAZINE
The Keys To Business Planning For 2025

How to help your team take the lead in the new year

Dave Hershman

Webinars

The $32 Trillion Opportunity For 2025

With 2025 fast approaching, now is the time to plan ahead and seize new opportunities in the housing market. O...

Webinar
Dec 19, 2024
Investor Confidence in Today’s Non-QM And Why Originators Are Paying Attention... A Virtual Town Hall

We host Angel Oak Mortgage Solutions for a special 2021 edition of their virtual town hall series they ran fro...

Webinar
Apr 08, 2021
How to Help Real Estate Pros in a Post-Refi World

Hear from Melissa Merriman, REALTOR® with The Melissa Merriman Team at Keller Williams, on what real estate pr...

Webinar
Mar 18, 2021
Connect with your local mortgage community.

Meet your your colleagues, both national and local, by attending an event in your area.