The growing threat of cybercrime in the mortgage industry

What do mortgage professionals need to know to keep their business secure?

The growing threat of cybercrime in the mortgage industry

Cybercrime figures released by Statistics Canada at the end of July made for sobering reading, revealing the number of cybercrime incidents in the country has ballooned dramatically in recent years.

The agency said the police had reported over 63,000 instances of cybercrime in Canada in 2020, up from just over 48,000 the previous year and 24,000 in 2016.

As members of an industry that requires swathes of personal information from clients, the implications of that spike for mortgage professionals are clear. Speaking at a Canadian Mortgage Brokers Association (CMBA) symposium in Vaughan last week, Derrick Leue (pictured top), president and CEO of PROLINK – an insurance brokerage whose clients include private lenders and mortgage investment corporations – said that the amount of data stored by mortgage brokerages meant they needed to be fully aware of the risk posed by cybercriminals.

“This is a big reason why hackers would care about mortgage brokers and mortgage agents – as almost a conduit to get to lenders at times, or just get to the information they need to impersonate people,” he said.

“There’s a lot of valuable information that you’re holding on Canadians overall. So that’s why vulnerability is really something to be aware of and take seriously.”

Leue said it was crucial that brokerages have a response to potential cybercrime and breaches of security mapped out in order to mitigate the damage those attacks can cause.

“It’s about setting up your system so that when it happens… you respond really fast, and in the most professional way possible, so that the privacy commissioner is not going to take it to another level or worse, have a lawsuit against you as an individual or your firm overall,” he said.

Read next: RBC's customer base makes it a favourite of cyber attacks – security experts

Claudiu Popu (pictured below), CEO of cybersecurity platform Informatica Security, told attendees that thousands of strains of ransomware (a malware that threatens to block access or publish data unless a fee is paid) had emerged in recent years, with figures indicating that it takes around 270 days on average for an infection on a corporate network to be discovered.

“We have this expectation that when we get infected, we’ll know right away,” he said. “That’s not the case; they case the joint and then they spread the malware across the network. Only when it’s convenient to them do they make themselves known.”

The current global number of active malware strains is also mushrooming: Popu said that on a daily basis, there are 10,000 new strains of malware being launched into the internet ecosystem, with Canada a top-10 contributor to new malware.

With that in mind, Popu stressed the importance of ensuring that passwords are robust and varied, with password leaks allowing cybercriminals to try them out on a variety of sites – meaning that individuals who use the same password across a range of accounts are at greater risk of a widespread breach.

Using different passwords, and coming up with passphrases that are at least 14 characters long, is the best way to secure an account, Popu said – something that’s important to communicate to all employees using the same system.

While phishing, the sending of fraudulent messages to trick recipients into disclosing personal information, has been a significant trend in cybercrime for many years, Popu noted that messages related to the COVID-19 pandemic have emerged as a significant recent trend aimed at deceiving victims.

Where urgent action on a bank account might have been requested in the past, phishing messages are increasingly likely to mention vaccine passports or an imminent risk to health information if the recipient doesn’t click a link.

Read next: What brokers need to know about mortgage fraud

What hasn’t changed is the element of urgency in phishing messages, something that’s always a telltale sign of cybercriminals attempting to extract personal information from victims.

“All phishing messages in the world have something in common: urgency,” said Popu. “Introduce it in your security awareness training within your organizations, and try to make it easy for your users to think of the simplest possible cues that allow them to memorize some of these things.”

The good news is that prevention is possible, with both speakers emphasizing that training and privacy policies should be enforced and security controls, password management controls, antivirus software and security patches put in place.

Having written policies in place to manage cybersecurity risk or reporting is also becoming increasingly commonplace, with StatCan reporting last year that 38% of large businesses in Canada had a cybersecurity insurance policy compared with 24% in 2017.

Among businesses in the finance and insurance sector, that figure rose from 41% in 2017 to 55% in 2019.

Leue said that a cyberinsurance policy would give mortgage professionals access to a cyber breach coach service, with forensic consultants available to assess the damage, patch the problem and help rebuild the data.

It can also assist with any potential reputational damage caused by a data breach and with notification costs, as well as mitigating the risk of lost business, commission and fee revenue that arise from network and system outages as a result of an infection.

Popu said that having incident response teams and plans in place – and testing those on an annual basis – could make a big difference for companies in dealing with the risk of cybercrime.

Constant monitoring and alerting reduce the window of opportunity for criminals and mean that the 270-day timescale for the discovery of a serious breach can be reduced to a matter of hours.

“Have as many mechanisms in place to let people know when their account is accessed without authorization,” he said. “Response is very important, which is why we say you need to test your response plan and make sure that it works.

“The worst thing you can have in cybersecurity operations is a false sense of security.”