Data breaches are occurring now more than ever, and although they aren’t exactly commonplace in the mortgage space, the implications of a breach can be significant—both in terms of the information exposed as well as the financial liability and negative publicity of the responsible party.
A massive amount of time, money, energy, and regulation has been pumped into the mortgage industry to help protect against data breaches. While that all obviously helps, another safeguard that many companies don’t put into place is the incorporation of data security into a company culture.
Alok Datta is the president of SLK Global America, a leading business solutions and software services provider and says that that transformation has to happen on multiple levels.
“Breaches happen at a human level, and that is where I think it’s important that along with all the systemic fixes, from a cultural perspective, how are we ensuring that cybersecurity or some of the Infosec norms are part and parcel of the DNA of the organization?”
Ideally, from the moment someone joins an organization, they need to not only be informed of the security precautions and procedures in place, but also be made aware that the landscape is continually changing. Companies need to provide regular and ongoing refreshers on compliance and on an individual’s role in helping to protect consumer data. This is in addition to regular activities like penetration testing to discover where vulnerabilities lie in the system itself.
“Most times companies do a lot of certification, but don’t inculcate or inbuilt a culture of being hypersensitive to data. Unless we do that, you would always be prone to breaches because there is human involvement. While there are systems, the systems are managed by people and people need to understand the implication of a data breach. Most times they don’t understand the upstream and downstream impact of a potential breach,” Datta said. “I think those are some of the important pieces in addition to these certifications, and may seem like softer aspects, but are critical because that’s how we have seen the breaches happen.”
The most technical aspect of data protection is the part that most mortgage companies get right, which is ensuring that the systems and technology being used is secure, which can mean having the right kind of infrastructure. The reason most people get that right, Datta said, is because it’s a hard metric, and it’s necessary in order to operate and be compliant.
“If you’re not say, SSAE 16 certified or you don’t have vulnerability testing or penetration testing happening on your systems, folks will see through it because you will not have certifications to that effect,” Datta said.
But increasingly, data breaches are happening to companies that have clearly had those types of security features in place, and prove that those protocols are just the tip of the iceberg.
When working with third party vendors, the risks can be multiplied if lenders don’t do the proper due diligence. The decision to engage with a third-party vendor has to be made looking at cost as well as the quality, service, and security that the third party is providing, and that includes a hard look at their track record.
“Sourcing, going through the right due diligence process, companies doing reference checks for the third-party vendor that they’re engaging with, and then ensuring that contractually they’re holding the third parties liable to potential issues that could happen are some of the best practices that’s got to be part of any kind of a third party engagement.”