Recent cyberattacks at mortgage companies have put the industry in alert mode, executives at top lenders, servicers, tech vendors and investors told HousingWire.
Mr. Cooper Group, loanDepot, First American and Fidelity National Financial Inc., parent of servicer LoanCare, have temporarily shut down their systems to contain cyberattacks that exposed their customers’ data.
Executives don’t have a clear answer for why the mortgage sector, mainly servicers, has sustained so many attacks of late, although some believe the problem is related to financial institutions as a whole. But they acknowledge that they keep a vast amount of customer data and some players may be vulnerable amid a shrinking market.
“Cyberattacks are what keeps me up at night,” an executive responsible for the servicing book at a top lender told HousingWire under the condition of anonymity for fear of his company becoming a target.
“It’s scary out there,” a technology leader at a top lender said anonymously, adding that there were recent cyberattack attempts at his company.
According to the tech leader, “it feels like there’s a target on mortgages,” which makes sense considering the types of data and documents these companies deal with. When a homebuyer gets a mortgage, they “have to peel back the curtain of their lives” and the “bad guys” want to access it, he said.
“We have a pretty robust data governance and risk analysis team whose full-time job is to protect and make sure that we’re using data in a safe and responsible way — whether it’s from a technology infrastructure perspective, actual use case or for modeling,” the source said.
The sources spoke to HousingWire during the Mortgage Bankers Association’s (MBA) Servicing Solutions Conference & Expo in Orlando.
Reputational risk
Mortgage companies, tech vendors and investors are taking steps to protect their systems. They have had conversations with their business partners to identify vulnerabilities and have tried to act as soon as possible to mitigate risks. Training their workforce is also crucial, they said.
Sometimes, however, they need “to implement something counterintuitive,” Sofia Kokolis, chief information security officer at Freedom Mortgage Corp., said during a session on cybersecurity at the conference.
“Every day we look to remove obstacles from a process and make it faster, more efficient, more accurate,” Kokolis said. “But in these cases, you have to inject some defaults.”
For example, companies should not allow someone to reset a password via the help desk without the attendant calling the manager, understanding the motivations or validating the change.
“You think you’re overcomplicating the process, but you’re adding in more verification steps that you definitely need to combat the threat that is taking advantage of our willingness and our one desire to help people,” Kokolis said.
Michael Nouguier, chief information security officer at consulting firm Richey May, said that companies need to ensure that they are applying cybersecurity standards not only to their operations but also to their “supply chain,” which includes tech vendors.
“[It] all gets tied back to the person who collects the data. And then you have reputational damage issues from that perspective,” Nouguier said.
Regarding the monitoring of vendors, Kokolis said that Freedom Mortgage has created a vendor information security team that looks at the cyber health of third parties on a routine basis.
Despite all of these considerations, a vice president at a tech vendor said that she’s trying to defend against the idea that “digitalizing the mortgage process increases this risk of cyberattacks.”
“The reality is, all that PII (personally identifiable information) and data is already out there,” the source said. “It’s already been in the cloud. Digitalizing the process doesn’t expose you to more risk. The challenge would be a paper process with less control over who gets access to the information.”
According to this executive, when her company heard about a cyberattack on a client, “the first thing that our team did was they looked at every endpoint where this client was accessing data from our systems or providing data, and we switched the keys in seconds.”
“Sometimes the vulnerability is not on your immediate counterparty but the counterparty’s counterparties,” she said. “So, you always have to look at the several degrees as a real vulnerability. If you are not scared and you are in mortgage tech, something is wrong.”
Secondary market
In the secondary market, credit agency Moody’s on Wednesday reported that cyberattacks could impair servicers’ abilities to collect payments from borrowers and remit them to the structured finance transaction in a timely manner. It could disrupt the cash flow to investors, Moody’s said.
Ultimately, Ginnie Mae put the topic at the top of its agenda at the MBA servicing conference.
“There have been at least half a dozen cybersecurity attacks that were successful within housing finance in the last several months; we’ve had to deal with some of those issues directly ourselves and to others we work with,” Sam Valverde, principal executive vice president at Ginnie Mae, said during a regulatory session at the conference.
Valverde said the problem affects homeowners, investors and insurance companies, and Ginnie Mae is “a bridge for all those counterparties.” These players need to “work well together” and that has been “a new priority” for Ginnie Mae, he said.