Automated tools are becoming imperative for organizations to proactively mitigate cyber risks, but that’s not the only move that mortgage companies should have in their playbook.
Last month, vendor oversight platform Vendorly announced their agreement with BitSight, making them authorized reseller of BitSight Security Ratings. Steven Greenfield, CMB, is the director of operations at Vendorly, and offered some insight into how their collaboration can help Vendorly customers scale their vendor risk management programs, and other ways that mortgage companies can be certain that their vendors are adequately addressing cybersecurity risks.
PowerOriginator: What are some of the things that mortgage companies should be looking for when sourcing a third-party vendor, and what should make them wary?
Steven Greenfield: The first practice is to perform a risk assessment on the vendor you are considering – strategic and operational risk, credit, financial and reputational or regulatory compliance risk. In regards to vendor management, good vendor management takes oversight seriously and will apply specific controls based on the level of risk that the vendor may subject your organization to. The biggest mistake we see is vendor management treated as a one-size-fits-all effort. Oversight has to be tailored to the specific vendor types since each vendor may fall under different regulations. While there is no way to eliminate all risk, the residual risk may be reduced by proactive management of the vendor through periodic and annual assessments and leveraging ongoing monitoring.
Obtaining financials to determine if the vendor is financially sound is another area to consider. Is there a slow pay history? Is there a cash flow problem? Either of these could create reputational risks since we live in a social media culture where a bad review can be the difference in hitting your forecasted goals. You also run the risk that the vendor cannot continue to innovate and grow in supporting your volume. Any red flag that you collect during the due diligence process may not be the single point of failure with a poorly operating vendor, but can be used to define the type and frequency of oversight which you must apply.
I also highly recommend reviewing the company compliance culture and ensuring that it aligns with your own position. Since a vendor is an extension of your operation, it’s important to make sure that similar values are shared and that regulatory frameworks are strictly managed. Within regulatory compliance, one red flag to be aware of is the litigation of regulatory non-compliance. Checking a vendor’s compliance management system will provide insight into how the vendor values and addresses their regulatory compliance requirements. If they do not align with your own standards, you have the option of addressing the findings with a remediation plan or walking away since the two organizations may not be the best fit.
POW: BitSight analyzes security events and practices to come up with a score, so is it completely objective? Are there any other factors that go into the rating?
SG: BitSight analyzes externally observable events to derive the BitSight security rating and to apply a letter grade to 18 risk vectors. To be included in a graded risk vector or in the headline risk rating an event must be Objective, Verifiable, and Actionable. In addition, the BitSight report offers ongoing monitoring which is a significant factor of a robust cyber risk vendor management program.
POW: How will this collaboration help lenders and servicers with current compliance standards?
SG: Cyber risk is one of the main threats that any financial institution faces today. Cyber risk doesn’t discriminate. The victims include borrowers, realtors, settlement agents and the lenders themselves and as we’ve seen over the last seven years, data breaches can occur across all industries. It is a sign of how connected we are in the 21st century.
Compliance standards are now in a state of convergence. Data security and consumer privacy are now daily topics of debate worldwide, with regulations such as GDPR, NYDFS Cybersecurity Regulation (23 NYCRR 500) and California Consumer Privacy Act (CCPA), all require the cybersecurity of institutions and vendors to be addressed and managed.
Using a suite of tools available through BitSight will demonstrate that the lender takes the regulations seriously and is proactively attempting to manage the risk. The challenge faced by the regulatory bodies is that the hacker community is adept and creative in their attack methodologies and regulations can’t always keep pace with the threats. In turn, new regulations may take years to go into effect. The trap for a lender is the failure to address any form of risk identified, simply because there isn’t an immediate regulation addressing that risk. Being proactive will in turn lead to a stronger risk management mindset.
POW: How is the ability to manage risk keeping pace with the cybersecurity threats themselves?
SG: The sense that managing risk in line with the rate of cybersecurity threat is a misnomer. Cyber risk seems to always be one step ahead since hackers aren’t limited by creativity nor lack the resolve to disrupt. It is often mentioned that cyber data breaches aren’t regarded as an if, but a matter of when.
The community of cybersecurity practitioners have the ability to assist the market and leverage the concept of the power of the network. Vendorly believes that by aligning with BitSight as an industry leader in cybersecurity ratings, we are bringing a more holistic and complete view on a lenders overall vendor management panel and remediate any third-party risk in line with regulatory compliance requirements as mandated by the OCC and CFPB.
Interview has been lightly edited for length.