This is the first article in a series on what originators need to know about the phenomenon of cyber attacks and ways that they can protect their business.
In an increasingly digital world, cyber attacks are a way of life. Massive data breaches dominate headlines month after month, and consumers are taking various steps to protect their data. As originators increasingly look to digital channels, platforms, and other ways to streamline their business, they’re becoming bigger and bigger targets of cyber crime, and not necessarily in expected ways.
JT Gaietto, is the executive director of cybersecurity services for Richey May & Co, an accounting firm that specializes in mortgage banking, alternative investments, and real estate tax and advisory services. Targeting consumer data is nothing new, but Gaietto says that it’s slowly transitioning into more monetary plays that are focused on resources. He says that there are a couple of different trends that they’re seeing that pose security risks for the industry as a whole.
“The “bad guys” are figuring out, instead of targeting just the consumer’s data for identity theft or targeting the consumer for wire fraud or the business for wire fraud, it’s much more profitable to look at using ransomware, or encrypting entire companies’ data sets, or they’re even going further now and using the computing resources of these mortgage originators to generate cryptocurrency like bitcoin,” he said.
By doing this, the perpetrators can continue to monetize their output without the originator or owner ever realizing it, or at least not realizing it for quite some time. This makes it much more useful than other types of fraud, such as wire fraud, which is discovered immediately when a lump sum goes missing.
The legal and compliance area is also turning into more of a gray area. The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) is a set of regulations announced and implemented in 2017 from the NYDFS that place new cybersecurity requirements on all covered financial institutions. Other states are increasingly focused on data privacy as well, as well as the Gramm-Leach-Bliley Act, which is one of the oldest data protection law in the books.
“Under the GLBA, there’s the safeguards rule that applies to anyone in financial services, saying that they’re going to take reasonable steps to ensure the protection of consumer’s data,” Gaitteo said. “That broad statement adapts over time. What might have been prudent steps in 2002, are not considered adequate in 2018.”
Gaitteo said that a lot of people get caught up in technicalities such as not being licensed in states where the newer regulations are being put into place, and therefore thinking that they aren’t required to take measures such as enabling multi-factor authentication or encrypting consumer data, but that’s dangerous, not only for the consumer, but for the business owners as well.
“I caution mortgage companies in that statement because they are subject to federal GOBA, and those are now becoming what I would call table stake security controls to protect themselves. In many of the security breaches we’ve dealt with in just this last 90 days with clients, all but one of them would’ve been prevented if the firms had enabled multi-factor authentication, for example. A lot of companies are scoffing at that requirement from New York, saying I’m either not subject to it or it’s disruptive to my business so I don’t want to put it in place; the reality is that it’s now becoming expected,” he said.
At least 50 cybersecurity breaches in recent years
Take control of your online reputation