Mortgage Lender Support
Six Critical Cyber Security Questions Being Asked of Mortgage Lenders
Customers shopping for a mortgage lender, or who already have
a lender, need to understand that these professionals know more about your deep, dark secrets than anyone.
Depending on the situation, maybe even
more than your doctor. In order provide you with the financing necessary to
purchase a home or other real estate, mortgage lenders must collect a VAST
amount of information about you. And that information may or may not be
secure.
It used to be that all your loan documents lived in large file cabinets in the
company's offices, and all we needed to worry about was someone breaking in and
carting away those papers. But that meant the thief had to be in the city
where the office was, had to understand the company's filing system, had to
be willing to break into the building with the possibility of being caught
and, to do this at any scale, needed a large truck and some helpers with
strong backs.
None of that is true anymore. The "papers" live as bits on a computer
somewhere, possibly in "the cloud". Those bits can be accessed from anywhere
on the planet, often with only a user id and password. The likelihood of
being caught while hacking the firm (and your private data) from Outer Slobovia is almost zero. And
the ability to steal vast quantities of data has become commonplace. Even if
these hackers are identified, the likelihood of the hacker being arrested,
prosecuted and convicted is almost zero.
Clearly, this means that we, as the owners of our private data, need to
start holding businesses we work with - like mortgage lenders - to a higher standard.
To be clear, no mortgage firm wants their client's data to be hacked, but
preventing that takes work, may be inconvenient and likely will take time
and money. And it is common knowledge in the cyber security industry that
this industry is WAY behind the power curve on this issue. That leaves
them...and you ...as their customer, exposed.
So, what are the SIX BASIC QUESTIONS you should ask?
- As my mortgage lender, what are your legal and/or ethical responsibilities to protect my personally identifiable information (PII) and other sensitive data and information associated with our relationship?
A federal law called the Gramm-Leach-Bliley Act or GLBA (named
after the 3 senators responsible for it) requires, among many things,
that mortgage companies protect your private information. The Federal
Trade Commission (FTC) oversees mortgage industry compliance with this
federal law. As a result, your mortgage lender or broker should have a
robust information security program and should be able to tell you what
they do to protect your information.
- Who in your office has the ultimate responsibility for protecting the sensitive information described above?
The person responsible should be at the executive and/or partner level, someone with decision-making authority and
someone who can create policy for the organization.
- Are these responsibilities defined in the contract between your
company and my firm (or myself)?
Such language may commit your mortgage lender to certain responsibilities, therefore do not be surprised if the engagement
or contract agreement does not include
it. However, from your perspective, you want this language...otherwise your interests are not correctly protected.
As a mortgage buyer, you have many choices for mortgage lenders and
brokers. Your real estate agent or home builder may recommend a mortgage
lender or broker. In some cases, they have a business relationship that
gives them a financial incentive for you to use a particular lender or
broker. That relationship, if it exists, must be disclosed to you.
Ultimately, the choice of a lender or broker is yours.You are the customer,
so it is your right to insist that the following topics be addressed in the engagement letter:
a. Steps the company will take to protect your information
b. How the company will limit access to that information to people with "a need to know"
c. What information security policies have been put into place to govern the protection of your information
d. When and how the
company intends to notify you in case of a breach of information
- Who has access to my information and how does your company ensure that those with access protect my information?
Many people within a company have access to your information on a regular basis, but professionally managed client data can be protected via systems which control data access. Access to your data should be controlled by a
"Client Data Protection Policy." Ask to see a copy of this policy. In addition, access to data should be logged and records retained for a reasonable period.
- What other steps do you take to ensure that the information described above is correctly protected?
A mortgage lender that takes protection of client data seriously, should be engaged in a number of activities designed to protect your information. Such activities should include (but not necessarily
be limited to) the following:
- Cyber security policies and procedures for a wide-range of activities, including those described here
- Security awareness training for staff
- Correct firewall configuration and logging
- Encrypted work stations, personal computers, laptops, tablets and phones
- Proper passwords and password management systems for all devices, including
use of two-factor authentication, where appropriate
- Proper remote access management
- WiFi management
- Software patch management
- Third-party vendor management
- An incident response plan
- What are your policies and procedures regarding notifying me in case of a cyber breach?
Amost all states have requirements regarding breach notification. In many instances, a business may not even know that it has suffered a breach
and what constitutes a breach, but in those cases when it DOES know that it has suffered a breach, what is the
company's responsibility to you? Some of these responsibilities are
spelled out in state specific breach notification laws, but many
companies go beyond these requirements. For example, no state requires a
company to provide identity theft notification and repair services, but
some companies do this in case of a breach.This should be clearly discussed in your contract.
For mortgage lenders, GLBA requires you to have a formal
(i.e. written) information security program. Lenders should have a
partner or executive in charge. Notice
we did not say a manager - not even a director. Security needs to start at
the TOP because executive endorsement and support are an absolute necessity.
For most companies, that also means engaging outside expertise to assist - we
can provide that. But getting started is the first step.
MORTGAGE
LENDERS: Click HERE to learn
how we can help you better protect your customer's information.
FOR MORTGAGE BORROWERS: Call us for consulting services that will
advise you on how to protect your important information. |
Please call us at 303-997-5506 for more information.