By John-Thomas Gaietto

One of the most critical topics for lenders in 2018 has been cybersecurity and the related regulatory pressure. Many firms continue to struggle with where they should invest to best reduce their overall cybersecurity risk and avoid additional regulatory scrutiny and fines due to a cybersecurity incident.

Consumer Data Privacy Impacts Mortgage Lenders

Two of the most widely discussed compliance issues this year have been the New York Department of Financial Services’ (NYDFS) cybersecurity regulation, NYCRR 500, and the General Data Protection Regulation (GDPR). Both regulations pushed the overall cybersecurity standards to a new level for financial services companies collecting consumer data.

However, the combination of the number of data breaches that seem to occur on a daily basis, consumers’ continued frustration over their lack of control over their data, and the impact from the breaches at Sun Trust Bank and Equifax have created a call to action at the state level for additional legislation to protect consumer data. Recently, Arizona (Arizona HB 2154), Colorado (Colorado HB 18-1128), Vermont (Vermont H-0764), and California (California Consumer Privacy Act; Assembly Bill 375) all passed new legislation attempting to fill in the gaps in the patchwork of data privacy legislation.

These new laws provide specific definitions of what the states consider personal identifiable information versus consumer data, as well as the difference between a cybersecurity incident and a confirmed data breach. The states also establish new expectations on how companies are expected to prevent incidents and react when a breach occurs, as well as create a framework for civil punishment through fines as a result of a data breach.

Many organizations are looking at a “pay now or pay later” decision as it relates to cybersecurity and compliance. One of the best ways to limit this exposure is to build out a functional roadmap to meet the demands of these new legislative requirements. Developing a holistic strategy not only helps control costs, but also limits risk exposure to cybersecurity incidents. Unfortunately, with a significant industry shortage in cybersecurity talent, many mortgage companies are finding it difficult to recruit qualified security professionals to aid in developing these plans and subsequently meeting the requirements.

And the Hits Just Keep Coming

The Verizon Business Data Breach Report found that in 2017, nearly 20 percent of all cyberattacks with confirmed data and financial loss impacted small and medium size financial services companies, including mortgage lenders. We continue to see attacks focusing on exploiting email communication, either targeting employees or customers to compromise data or gain access to funds. Regardless of an organization’s size, nearly all have been impacted by phishing, wire transfer fraud, or ransomware.

The recent Verizon Business 2018 Data Breach Investigations report found that ransomware was the fifth highest overall cybersecurity threat last year, beating out traditional malware, spyware, and the use of stolen credentials. In fact, ransomware increased nearly 50 percent in 2017.

However, as the bad guys adapt to new security strategies, they change their method of attack. In what has become known as “crypto jacking”, attackers have begun to focus on gaining access to a computer platform, installing software to generate Bitcoin or some other cryptocurrency, and instead of encrypting data and demanding ransom, working silently in the background generating Bitcoin or other cryptocurrencies at the expense of the victim.

Lastly, we continue to see cybersecurity incidents that result from the lack of appropriate security controls with third-party vendors, such as title companies and appraisers. These vendors have not traditionally adopted standardized technology or cybersecurity controls, leaving lenders who do business with them open to attack. Since an organization is only as secure as its weakest link, many lenders are reviewing and even considering leaving long-term relationships with vendors who have not adopted holistic security programs.

In order to combat these attacks, lenders should be adopting a comprehensive email hygiene solution that not only includes SPAM filtering, but also detects threats such as malware. Organizations should also make sure that their email and DNS platforms have configured Domain-based Message Authentication, Reporting, and Conformance (DMARC). This protocol is used to defend your brand and customers against email spoofing attacks. The solution is so effective that the U.S. federal government has made the implementation of DMARC a requirement for all agencies and organizations that it operates.

Looking for Monitoring and Insight

Given the variety of attacks that mortgage lenders are being subjected to, along with compliance requirements for good monitoring and audit trails, demand is high for comprehensive monitoring and analytics that help lenders understand how their data is being utilized.

Earlier technologies, such as Security Incident and Event Management (SIEM), provided a platform for correlating and collecting logs and information from multiple sources within an environment. Intrusion Prevention Systems (IPS) were also utilized to provide automation around preventing active exploitation by an attacker within a company’s environment. The challenge with both technologies, however, is that they need constant care and feeding. Organizations must “tune” their SIEM and IPS solutions regularly, which results in increased labor costs.

The next wave of monitoring and analytics will be “managed” solutions that enable companies to simply outsource the IT staff. Such technologies include Amazon Guard Duty, which monitors threats and indicators of compromise and, through the use of machine learning, automates alerting and response to threats.

Overall, cybersecurity in 2018 is focused on reducing liability through adherence to compliance, reduction of fraud and increased efficiencies through better intelligence and threat management. These concepts require a multilayered cybersecurity strategy in order to reduce the risk exposure of an organization, and more importantly, its customers. Either way, lenders cannot afford a “wait and see” approach to dealing with new compliance challenges. Data privacy laws are accelerating, and lenders that lag behind could be left in the dust for good.


JT Gaietto

JT Gaietto is Executive Director, Cybersecurity Services for Richey May Technology Solutions. He focuses on providing clients with critical security and regulatory compliance support, including incident response, third-party risk management, business continuity and customer and government due diligence oversight. He can be reached at

Be Sociable, Share!

(Visited 5 times, 5 visits today),s,id){var js,fjs=d.getElementsByTagName(s)[0];if(d.getElementById(id)){return}js=d.createElement(s);;js.src=””;fjs.parentNode.insertBefore(js,fjs)}(document,”script”,”facebook-jssdk”));

Source link

This Content is Generated from RSS Feeds, if your content is featured and you would like to be removed, please Contact Us

Tech Shop Offers

Music and Hifi Offers

Money and Loans

Get the very best deal on Loans, Credit Cards, Bank Accounts and Mortgages.

Motor Insurance Quote

Get a Quick Motor Insurance Quote and Compare from over 65 Providers.

Home Insurance and More

Compare Home Insurance from over 65 Insurance Providers to guarantee you the best deal.

Life Insurance and More

Get a Quick Life Insurance Quote and Compare Deals from UK's well known Insurance Providers.

Travel Insurance Quotes