How vulnerable are mortgage brokerages to data breaches?

Sophistication has grown since pandemic, says expert

How vulnerable are mortgage brokerages to data breaches?

For the owner of any company storing sensitive and valuable information, a data breach is up there with the biggest nightmare scenarios – and that’s amplified even more in the mortgage industry, where the data stored by brokerages contains details of some of the biggest investments their clients will ever make.

While the shift during the COVID-19 pandemic from office-dominated work arrangements to a model that favours hybrid and remote work hasn’t necessarily heightened the risk of breaches in the mortgage space, it’s increased the need for vigilance and care about where data is being stored, according to an executive who specializes in mortgage industry data security.

Rob Mark of BVigilant, told Canadian Mortgage Professional that previously, documents were mainly collected by brokers through email and stored in a desktop folder for client files – but cloud-based SaaS applications were now far more prevalent.

“You do have to be a lot more careful about where you’re storing your data, who has access to that data, and making sure that you have the appropriate controls in place,” he said. “I’m not even just talking about malicious actors – but controls in place to deal with an employee that leaves.

“You hire a fulfilment officer and they leave in six months or a year and they have access to every client file that you’ve ever worked on. A lot of that wasn’t an issue before because you just locked the doors to your office, or changed the locks, and it’s no longer a problem. They can’t get on a computer that’s in the office.”

How have attempts to steal customer data evolved in recent years?

Now, the onus is on brokerages to ensure that individuals who depart the company don’t retain access to confidential information after they leave. What’s more, the prominence of so-called ‘phishing’ emails – an attempt to trick people into revealing sensitive information or breach a system – has also grown.

“It only takes one person in your team to be breached,” Mark said. “Generally, brokers have all their client files shared with their whole team. Their underwriter needs it, their fulfilment officer needs it. If they’ve got a marketing person who’s doing market for them, they all need to see everything. So it creates a very large surface of attack.”

For hackers, email is considered the “golden goose” of attacking a system, according to Mark. The damage from Facebook or Instagram breaches is normally fairly minimal by comparison, since those platforms are far less likely to contain valuable client information.

Breaching email gives hackers the ability to send phishing links that appear legitimate – for instance, imitation DocuSign or referral agreement packages – to individuals within the company.

What’s more, attacker profiles have changed “dramatically” since the pandemic, Mark said, evolving from obscure individuals trying to write malicious code to an “entire enterprise” where hackers aren’t actually doing any of the coding themselves.

“They’re just paying a license fee like you would to your document submission platform,” he said. “They’re paying $40 a month to access some phishing toolkit. So the bar of entry has gone way down.

“There’s so much money to be made that a whole bunch of malicious organizations propped up with criminal enterprise backing, and sometimes state government backing… develop these tools where you just pay a monthly fee and you can phish whoever you want.”

Others don’t even use a monthly fee. “They do what’s called a commission split,” Mark said, “where you do the whole ransom process through the software… and the provider just takes a cut of the ransom when it’s paid.”

How can the mortgage industry safeguard against data breaches?

Most important for any industry – and brokerages in particular – is having an active training campaign in place to ensure that staff are fully cognizant of what phishing attempts look like and how to safeguard against them, according to Mark.

The repercussions of not putting up appropriate countermeasures are potentially serious, especially for those without insurance measures in place.

“We tell people to make sure they have cyber liability insurance because if you don’t, you probably won’t cover anything like this. The cost can get high,” he said. “You have to disclose to your clients… that their data may have been accessed. And the law is quite clear that if they may have been accessed it’s a breach – you have to let them know.

“That usually looks like sending out an email blast to every one of your clients… If you have insurance, insurance is generally good and will cover most of the financial impact. The real damage comes from the reputational damage of letting all your clients that you’ve worked for over the years know that you got hacked and their data was probably accessed.”

Make sure to get all the latest news to your inbox on Canada’s mortgage and housing markets by signing up for our free daily newsletter here.