720-891-1663

Mortgage Lender Support

Six Critical Cyber Security Questions Being Asked of Mortgage Lenders

Customers shopping for a mortgage lender, or who already have a lender, need to understand that these professionals know more about your deep, dark secrets than anyone. Depending on the situation, maybe even more than your doctor. In order provide you with the financing necessary to purchase a home or other real estate, mortgage lenders must collect a VAST amount of information about you. And that information may or may not be secure.

It used to be that all your loan documents lived in large file cabinets in the company's offices, and all we needed to worry about was someone breaking in and carting away those papers. But that meant the thief had to be in the city where the office was, had to understand the company's filing system, had to be willing to break into the building with the possibility of being caught and, to do this at any scale, needed a large truck and some helpers with strong backs.

None of that is true anymore. The "papers" live as bits on a computer somewhere, possibly in "the cloud". Those bits can be accessed from anywhere on the planet, often with only a user id and password. The likelihood of being caught while hacking the firm (and your private data) from Outer Slobovia is almost zero. And the ability to steal vast quantities of data has become commonplace. Even if these hackers are identified, the likelihood of the hacker being arrested, prosecuted and convicted is almost zero.

Clearly, this means that we, as the owners of our private data, need to start holding businesses we work with - like mortgage lenders - to a higher standard.

To be clear, no mortgage firm wants their client's data to be hacked, but preventing that takes work, may be inconvenient and likely will take time and money. And it is common knowledge in the cyber security industry that this industry is WAY behind the power curve on this issue. That leaves them...and you ...as their customer, exposed.

So, what are the SIX BASIC QUESTIONS you should ask?

  1. As my mortgage lender, what are your legal and/or ethical responsibilities to protect my personally identifiable information (PII) and other sensitive data and information associated with our relationship? A federal law called the Gramm-Leach-Bliley Act or GLBA (named after the 3 senators responsible for it) requires, among many things, that mortgage companies protect your private information. The Federal Trade Commission (FTC) oversees mortgage industry compliance with this federal law. As a result, your mortgage lender or broker should have a robust information security program and should be able to tell you what they do to protect your information.

  2. Who in your office has the ultimate responsibility for protecting the sensitive information described above? The person responsible should be at the executive and/or partner level, someone with decision-making authority and someone who can create policy for the organization.

  3. Are these responsibilities defined in the contract between your company and my firm (or myself)? Such language may commit your mortgage lender to certain responsibilities, therefore do not be surprised if the engagement or contract agreement does not include it. However, from your perspective, you want this language...otherwise your interests are not correctly protected. As a mortgage buyer, you have many choices for mortgage lenders and brokers. Your real estate agent or home builder may recommend a mortgage lender or broker. In some cases, they have a business relationship that gives them a financial incentive for you to use a particular lender or broker. That relationship, if it exists, must be disclosed to you. Ultimately, the choice of a lender or broker is yours.You are the customer, so it is your right to insist that the following topics be addressed in the engagement letter: 

    a. Steps the company will take to protect your information
    b. How the company will limit access to that information to people with "a need to know"
    c. What information security policies have been put into place to govern the protection of your information
    d. When and how the company intends to notify you in case of a breach of information

  4. Who has access to my information and how does your company ensure that those with access protect my information? Many people within a company have access to your information on a regular basis, but professionally managed client data can be protected via systems which control data access. Access to your data should be controlled by a "Client Data Protection Policy." Ask to see a copy of this policy. In addition, access to data should be logged and records retained for a reasonable period.

  5. What other steps do you take to ensure that the information described above is correctly protected? A mortgage lender that takes protection of client data seriously, should be engaged in a number of activities designed to protect your information. Such activities should include (but not necessarily be limited to) the following:
    1. Cyber security policies and procedures for a wide-range of activities, including those described here
    2. Security awareness training for staff
    3. Correct firewall configuration and logging
    4. Encrypted work stations, personal computers, laptops, tablets and phones
    5. Proper passwords and password management systems for all devices, including use of two-factor authentication, where appropriate
    6. Proper remote access management
    7. WiFi management
    8. Software patch management
    9. Third-party vendor management
    10. An incident response plan
  6. What are your policies and procedures regarding notifying me in case of a cyber breach? Amost all states have requirements regarding breach notification. In many instances, a business may not even know that it has suffered a breach and what constitutes a breach, but in those cases when it DOES know that it has suffered a breach, what is the company's responsibility to you? Some of these responsibilities are spelled out in state specific breach notification laws, but many companies go beyond these requirements. For example, no state requires a company to provide identity theft notification and repair services, but some companies do this in case of a breach.This should be clearly discussed in your contract.

For mortgage lenders, GLBA requires you to have a formal (i.e. written) information security program. Lenders should have a partner or executive in charge. Notice we did not say a manager - not even a director. Security needs to start at the TOP because executive endorsement and support are an absolute necessity. For most companies, that also means engaging outside expertise to assist - we can provide that. But getting started is the first step.


MORTGAGE LENDERS: Click HERE to learn how we can help you better protect your customer's information.

FOR MORTGAGE BORROWERS: Call us for consulting services that will advise you on how to protect your important information.

Please call us at 303-997-5506 for more information.

© 2024 Copyright , All rights reserved. Privacy Policy Last Updated June 21, 2022

z z