After a weekend packed with learning opportunities at the annual Mortgage Bankers Association conference in Austin, Texas, Saxony Partners’ Michael Martin said his biggest takeaways were centered around cybersecurity.
Martin, a Senior Manager for the firm’s Financial Services practice, attended a panel discussion called “Ransomware and Other Security Threats in Your Backyard.” The panel consisted of cybersecurity experts from both the private sector and the U.S. government and opened with examples of mortgage companies who have experienced security breaches firsthand.
The most gut-wrenching statistic from the panel? Every 14 seconds, a company falls victim to ransomware attacks.
“Within the last 6 months, there was lots of news coverage around a well-known company who lost access to their ticketing system due to ransomware,” Martin said. “It was a major outage, and I think it really called attention to some cybersecurity blind spots in the mortgage industry.”
“It has created a lot of anxiety,” Martin said. “People are suddenly asking the important questions, like ‘How can I be sure isn’t something that happens to me?’ and ‘How do I know that I’m not next?’”
The safe bet is to assume that you may in fact be next, and companies are finally shifting to the ‘Not if, but when’ mentality when it comes to cyberattacks.
So, how can mortgage companies prevent ransomware attacks?
As someone with a strong background in information security and governance, Martin opined about the risk mitigation strategies he sees as effective for protecting the confidentiality, integrity, and availability of information in large-scale mortgage operations.
“The proactive approach to cybersecurity through prevention is ideal,” Martin said. “But it takes investment, training, and the right kind of infrastructure.”
Part of a proactive approach to cybersecurity involves establishing the policies, procedures, and incident response routines for your company in the event of a ransomware attack. The MBA panel discussion suggested an exercise similar to a fire drill that can help companies begin this process. It starts with a “tabletop” exercise.
“One of the biggest focus areas at MBA was the importance of the tabletop,” Martin said. “Essentially, it’s a scenario planning event with the senior members of a company working through the steps they would take to handle a hypothetical ransomware situation.”
Martin said because of the nature of cybersecurity attacks, overcoming a ransomware situation is difficult for even the most prepared companies. But for those who haven’t invested time and money in security, the situation is a nightmare.
“If you don’t have an information security office or a formal information security program, effective incident response will be impossible,” Martin said.
Since dedicated security personnel can add significant overhead, many companies are opting to use consulting services to keep their information safe. Having consulting resources and an incident response partner can help companies avoid being stuck in reactive mode when an incident occurs.
“When you don’t know who to call or what to do, inevitably that means you are unnecessarily losing a lot of business,” Martin said.
What should mortgage companies do when a ransomware attack does happen?
For companies that have cyber insurance, the response to a hacker attack is simple.
“If for any reason you have evidence a breach may have occurred, you should contact your cybersecurity insurance company immediately,” Martin said. “Working with your cybersecurity insurance provider is a gateway to taking swift, remediating steps.”
On the other hand, companies without any cyber insurance have a more difficult question to face. Should you pay the ransom? According to the experts featured at MBA, the answer is unique to every company and situation.
“Some experts may tell you to never pay the ransom, but ultimately it’s a decision for each individual company to make on their own,” Martin said. “Sometimes, paying it is the more cost-effective option for companies without cyber insurance or a well-established incident response plan.”
What are some cybersecurity action items mortgage companies can take?
As technology within the mortgage industry has continued to advance, companies feel pressure to compete by making information and payment procedures more accessible to customers. Mobile mortgage apps, for example, are now seeing widespread use across the country.
While embracing a more positive user experience is good for business, Martin stressed the importance of balancing technology with appropriate security.
“The speed of technological innovation has been incredible, but the rapid innovation has not taken security into account,” Martin said. “Companies are making their investments in new technology to keep up with their competitors. But they aren’t investing enough in properly securing these new digital applications.”
The most important priorities for mortgage companies who want to remain secure: risk assessment and insurance.
“If you have anxiety about what would happen in the event of a security breach, there are preventative steps you can take,” Martin said. “Cyber insurance is the first priority. Get in contact with a reputable insurance provider and get a policy.”
Note that cybersecurity policies are a newer form of insurance, and typically require significantly steeper premiums for the same level of coverage.
“Secondly, get engaged with someone who can strategically help you with the steps to determine your company’s needs within a policy,” Martin said. “Get an information security risk and compliance assessment done and have a formal plan in place. Have incident response policies and procedures ready in the event of a cyberattack.
“Even if the worst happens, your personnel will know where to go and what to do.”
How can mortgage companies choose the right cyber insurance policy?
To ensure your company has the most beneficial cyber insurance policy possible, Martin stressed the importance of relying on knowledgeable data consultants and assessing your current systems.
“You need to choose a policy based on your company’s risk tolerance,” Martin said. “This is very difficult to do without getting an assessment done first. Look for a reasonable premium. Figure between $1 and $2 million of coverage for small company, or between $3 and $10 million for larger company.”
Martin said to watch out for verbiage within a policy that indicates coverage “per incident.” This can come back to haunt companies who fall prey to a series of attacks over a sustained period due to the same root cause vulnerability. He also explained the importance of coverage for business continuity while your systems are shut down.
“When a ransomware attack happens, the first thing people do is shut down their systems,” Martin said. “That is the right approach, but it also means shutting down your primary revenue stream. A quality policy must cover loss of revenue while your systems are down.”
Looking to the Future of Cybersecurity for Mortgage Companies
As cybersecurity threats continue to grow, mortgage companies need to be ready to face them directly. If your mortgage company needs assistance evaluating cybersecurity weaknesses and determining the best solutions for keeping your data safe, the Financial Services team at Saxony Partners can help.
Michael Martin’s final advice for mortgage companies was simple.
“Take stock, do a risk assessment, and understand where your weaknesses are. Then you can compare your weaknesses to your policy options.”