Cybersecurity in the Financial Services and Mortgage Banking industry in 2022 has started off with a bang. We’re facing an unprecedented time of market contraction, a complex threat landscape, increasing compliance requirements, and a demand for more cybersecurity resources. After getting through the pandemic and an unprecedented volume of demand for loans, many leaders in the Independent Mortgage Banking industry might be thinking that things couldn’t get any more complicated.
Well to put it simply: it has.
In the fourth quarter of 2021, the Identity Theft Resource Center, a US based non-profit organization founded to aid victims of identity theft, found that cybersecurity incidents impacting mortgage transactions increased by 17% year over year. We also got notice from CISA; the Cybersecurity & Infrastructure Security Agency, that they have seen an increase in threats targeting the United States financial sector ordering a “Shields Up” notice. The Shields Up notice asks companies to focus on the “commonly exploited” vulnerabilities, of which just crossed the mark of 600 different vulnerabilities.
In late 2021, one of the most common vulnerabilities was released: Log4j. First exploited in late November 2021, this vulnerability which leverages the java Log4shell function impacts instances of software tools, endpoints, and cloud services around the globe dating back as far as 2013. Many of the common platforms that we use within the industry were impacted, adding to the list of required items for us to review and validate with our third-party vendors.
On the back of Log4j, just as we seemingly get out of the woods, we get hit by a group of teenagers who successfully bi-pass various security controls and compromise OKTA and Microsoft in the same week. Reminding us that threat actors are always around the corner waiting to identify weakness.
What’s a company to do? There are several simple steps that all companies should be focusing on to reduce their overall cybersecurity risk.
- Cybersecurity Awareness Training: Because of the continued growth in Phishing level attacks, organizations should focus on improving their “Human” security controls. In addition to the required annual cybersecurity training, companies should also be performing monthly “micro” training sessions in combination with simulated Phishing tests. By making our employees more aware of the threats we face every day, we can reduce our risk of cybersecurity incidents due to human error.
- Multi-Factor Authentication: This security control is critical in today’s environment. If your company is still simply relying on passwords, you are taking undue While not all multi-factor authentication is created equal, in 2022 (if you haven’t already) you should be making plans to implement a solution across your manufacturing platform. Consideration for those of you with customer portals for servicing should also be made to help protect your customers as well.
- Patch EVERYTHING! This seemingly simple task is more complex now that we have hybrid and remote workers. However, it’s still one of our best controls in eliminating exploitable vulnerabilities in our environments. Of the 600 commonly exploited vulnerabilities mentioned by CISA, the top 12 have had security patches available since 2017.
- Get a Security Test: American Banker and National Mortgage News recently did a survey that found that only about half of mortgage companies have had a penetration test completed in the past 12 months. A combination of vulnerability scanning, and penetration testing helps organizations identify known exploitable vulnerabilities that would enable the bad guys to compromise your environment.
- Managed Endpoint Detection and Response (MDR): This endpoint level software is a solution that can help you both detect and stop cybersecurity incidents dead in their tracks. Unlike traditional software like antivirus or firewalls, MDR looks at behaviors on the computer itself. Not only do solutions like this help shore up defenses for internal resources, but this is a great solution for remote workers as well. An additional trend because of the level of efficacy these tools have, many cybersecurity insurance carriers are reducing the cost of annual premiums if companies have MDR in place.
- Incident Response Planning: Even with the best defenses in place, companies can have cybersecurity incidents. Having a well-defined plan that you periodically test is key in reducing the amount of down time you have (and how much impact on originations an outage has). These plans should include more than just your IT team as well, with clear steps and actions that should be taken based on the size, scope, and impact of the incident itself.
Because of the combination of consumer urgency, and monetary value the mortgage industry is a ripe target in these challenging times. Mortgage companies need to retain experts who are not only familiar with the industry and compliance trends but who also focus specifically on cybersecurity and compliance.
All organizations need a helping hand from experienced professionals. Digital Silence; a world class boutique cybersecurity company, specializes in taking an elite threat actor approach to security as part of every engagement ranging from our penetration testing and risk assessment services, incident response and threat intelligence research, up to our full Virtual CISO services. Digital Silence services multiple industry verticals including Financial Services, Mortgage Banking, Healthcare, Technology, and Media & Entertainment.
Chief Security Officer
JT Gaietto has spent the past 25 years in the cybersecurity community. JT’s extensive security counseling experience includes stints as both consultant and client, including service as Virtual CISO to multiple companies while an Executive Director at Richey May & CO. and security leadership positions at several other organizations including SquareTwo Financial & Kelly Services.
In addition to being a Certified Information Systems Security Professional (CISSP) and holding a BS in Information Systems from Northern Arizona University, and a certified Forensics Examiner (ISFCE), he also has served as Director for Westerra Credit Union since 2017 and has earned a Defcon Black Badge.