As mortgage cyber threats evolve, more self-testing is needed

Mortgage leaders are wary of the increasing cybersecurity risks pervading with the industry’s digital migration, yet many admit they aren’t taking the necessary precautions, according to a recent Arizent study.

They are most concerned about what consumers are doing on their phones, and who they’re granting access to data to, according to the Arizent survey. Yet only about half of those same respondents said they’re testing their own IT infrastructure’s cybersecurity, a glaring oversight at a time when fraud costs lenders more than four times their dollar amount lost.

“So many people in the industry don’t think that they’re susceptible, either because of their size, or because they outsource everything, or it’s not something they’ve thought about,” said JT Gaietto, chief security officer at Digital Silence. “So I’m surprised you even got half and your respondents to say that they’ve thought about it.”

The mortgage industry is more exposed to fraud than banks and other financial services, according to a LexisNexis Risk Solutions report. Threats occur at every step of the mortgage process, with losses coming from account creation and login to funds distribution. Acquiring housing through fraudulent activity was involved in five of their top six threats.

The mortgage industry’s exposure to fraud has risen significantly since the onset of the coronavirus pandemic. Every dollar of fraud loss cost lenders $4.40 in fines, legal fees, labor and related recovery expenses through the first three quarters of 2021, nearly a dollar greater than pre-pandemic losses, according to the LexisNexis report. Firms also reported a 2021 monthly average of 1,431 fraud attempts — they prevented 62% of the attacks but the volume remains above pre-pandemic levels.

Mortgage and banking respondents reported to Arizent better penetration testing than insurance carriers and wealth management: 54% said their organization practices periodic data breach simulations, while 47% said their firms routinely attempt to hack into their own IT infrastructure with or without a third-party expert. Mortgage firms not only need to improve precautionary measures, they may be forced to by their cyber insurance carriers, said Garry Woods, executive director of governance, risk, compliance and policy for cybersecurity firm Richey May.

“For a lot of organizations you’ll see a plan to bring those best services activities, it’s going to help minimize the increase annually of cybersecurity insurance,” Woods said. “I think you’re going to see that number over the next three years increase significantly.”

Companies are increasingly adopting digital business tools but the technology isn’t giving everyone greater peace of mind. Sixty-five percent of leaders told Arizent faster payments and money transfers have increased the cybersecurity risks for their firms. In a further breakdown, 50% of banking and mortgage respondents told Arizent mobile device use is increasing their cybersecurity risk profile, while 41% said increasing third-party access to data as directed by consumers is increasing vulnerability.

Most mortgage firms aren’t building their own mobile platforms and buying other popular products, Gaietto said. That makes them more at risk to threats like the Apache Software Foundation Log4j security vulnerability discovered in December, whose effects have yet to be determined.

“A lot of our mortgage and financial institution customers are really concerned about that because it’s very ubiquitous and it can impair their entire lending platform,” he said. “If their software is not up to date, you know, threat actors can then take down their manufacturing processes, and that’s obviously extremely costly.”

Viruses, malware and ransomware are still top-of-mind, with 61% of banking and mortgage leaders citing them as the greatest threat to their firms over the next 1-2 years. The devastating effect of ransomware was evident last summer when Cloudstar, the title and settlement firm, was attacked, leading other firms to step in and aid the cleanup.

Of banking and mortgage leaders, 49% identified spear phishing, fraudsters’ attempts to deceive mortgators through email for wire fraud, as one of their greatest cybersecurity threats. Woods identified spear phishing as the mortgage industry’s most common attack and also described a jump in bot attacks for companies that allow online loan applications — a threat just 31% of Arizent respondents said posed a greater risk in the near future.

Insider threats in the form of internal employees taking proprietary information and leaving the company are another concerning trend, Gaietto said. Of Arizent banking and mortgage respondents, 51% identified data breaches as one of their greatest concerns moving forward. Gaeitto predicted the threat would persist through 2023 as margins diminish with increasing rates.

“I think it’s really going to show itself in spades just because the industry, I don’t want to say it’s cutthroat, but it’s very much driven by financial gain,” he said. “And when the opportunity for that gain gets compressed, you see people doing things that they probably wouldn’t normally have done in other times.”

Despite pervasive cybersecurity threats, industry leaders remain confident in their gameplans, with just 1% of banking and mortgage respondents unsure of their firm’s practices. The majority of leaders indicated their firm will spend more on cybersecurity, and only 12% don’t have firm plans to invest into cybersecurity risk liability insurance.

The last hurdle for mortgage companies might be following the smorgasbord of regulations and standards for the industry, which also vary state by state.

“That’s the challenge for our industry,” Woods said. “It’s those compliance departments being able to come up with a common adherence program or risk and compliance program that could meet multiple state legislators.”

Comments are closed.