Securing Home Base: Why Mortgage & Lending Companies Need a Security Strategy
When buying a home, families are looking for stability in the structure, a safe neighborhood, and adequate safety features within the home to keep everyone healthy and avoid potential danger. For example, no one wants a home with a front door that doesn’t lock or windows with no panes. Further, an added bonus or deciding factor for a family might be the inclusion of a built-in security system.
Mortgage and lending companies need to think of their databases and IT infrastructure with the same concerns as the families they’re lending to when purchasing a home. Companies should review their current IT assets and be proactive in selecting and reviewing vendors and other business partners involved when sharing restricted information. Organizations can do this by using an Attack Surface Management (ASM) platform, but more on that later.
What makes the mortgage and lending industry susceptible to attacks?
First, the data collected from potential homebuyers to qualify for a mortgage or home loan are attractive to hackers and cybercriminals. Information gathered during the homebuying process includes social security numbers, financial information, such as bank statements, credit reports, and other personal information. Second, some of this information is collected multiple times per federal law, creating multiple points of entry for a potential hacker.
Homebuying, too, has seen a significant increase during the COVID-19 pandemic. According to the Pew Research Center, “The addition of 2.1 million homeowners in 2020 represents an annual increase of 2.6%. This is the seventh largest percentage increase in homeowners dating back to 1965.”
Some loan processes are fairly straightforward and others are more convoluted, and while there are standards for what information is required to apply for a loan, there’s no standardization for how that information and data are collected. This leaves mortgage and lending companies open to the risk of human error and the sprawling state of IT infrastructure. Governmental agencies and legislatures are encouraging lenders toward better risk management by enacting laws and regulations, such as New York’s Cybersecurity Requirements for Financial Services Companies. Those lenders that can’t keep up are paying the price in large fines and reputational distrust.
The industry is susceptible to being attacked via the nature of its business, much like a credit card company, but there are considerations, too, for the siloed nature of the mortgage and lending industry. Loan officers, mortgage brokers and originators, real estate agents, underwriters, and title agents are just some of the roles necessary for buying a home, all of whom will at some point handle sensitive data. In sum, it’s a bit of a mess.
What your company can do to mitigate potential cybersecurity risks
In 2019, millions of mortgage loan documents were exposed not once but twice because the data was publicly available on a cloud service via a vendor’s double error. This tracks with data from 2020 that 73% of cybersecurity incidents involved external cloud assets, according to the Verizon Data Breach Investigations Report, and from 2021 that more than 50% of enterprises will unknowingly and mistakenly expose storage buckets, network segments, applications, or APIs on the public internet, according to Gartner.
Whether you’re a small company or large conglomerate in the mortgage and lending industry, it’s time to shore up your security strategy with a simple, easy-to-use solution to identify and monitor your company’s asset inventory (and your vendors’ inventory) and remediate risks discovered in the process.
Employing the Censys Attack Surface Management Platform as part of your security strategy will give you the ability to prioritize any existing risky assets, confirm they’ve been remediated, and spot potential threats in real-time. You won’t be up at night worrying if your clients’ data are floating out on the public Internet, instead you’ll know where your sensitive data is stored, if it is protected, or if action needs to be taken.