Loan Servicers Target Cyber Security Threats

LOS ANGELES–As cyber threats grow and evolve, loan servicers need actively identify and neutralize attacks, panelists said here at the MBA Commercial/Multifamily Servicing and Technology Conference.

Christopher Fielder, Director of Digital & Technology with CBRE Loan Services, Houston, said cyber attacks have become pervasive. “Attacks are going on every day,” he said. “It can be as easy as someone clicking on an email link they should not have clicked and a compromise is made. Those are very difficult to catch. Companies rely on their Information Security and IT departments to catch those things, but it’s really everybody in this room; it’s our responsibility, too.”

The threat from “phishing” emails–fraudulent messages designed to trick a reader into clicking a malicious link or revealing personal information–is growing. Smekens cited FBI statistics saying 80 percent of people will not click on a phishing link, but 4 percent of people will click on every link in an email. “It’s finding that 4 percent that is critical,” he said. “That’s who you’re trying to find.”

Phishers have grown significantly more sophisticated recently. “It’s no longer easy to detect because of bad spelling or wrong terminology; they are starting to learn our lingo,” said Amy Frazey, Assistant Vice President of Investment Administration with StanCorp Mortgage Investors, Hillsboro, Ore.

PGIM Real Estate Finance President Joni Brown-Haas reported her firm’s Chief Information Officer shares examples of what phishing requests look like, “so people have their antenna up looking for things that just don’t feel right,” she said.

There are three basic elements to cyber security controls, Bellwether Enterprise Real Estate Capital IT Developer Troy Smekens said. “First, have prevention measures in place. The second element is detection, being able to detect any attempted breaches. The third is the human element; you don’t want that to be the weak link,” he said. “So having people educated on threats is crucial.”

Berkadia Chief Information Security Officer Thomas Dryden agreed a firm’s staffers represent its first line of defense. “I call it a ‘human firewall’,” he said.

Panelists said their firms have mandatory safety awareness training for new employees and refresher courses at least annually for all employees. “Information security awareness needs to be a core value of your organization,” Dryden said. “It must be supported by those in the corner office.” In addition to regular information security awareness training for all employees, Berkadia holds an annual “Information Security Month” in October where it highlights security awareness with posters and brown-bag lunch discussions, he said.

Identity management represents another security challenge, Dryden noted. He recommended firms use multifactor identification before allowing anyone access to its system. “It’s essentially a code from a second source [to verify the person is a legitimate employee].” He noted some firms use biometrics, generally an iris scan or a thumbprint, before allowing access to their network. Others require confirmation from an app or the employee’s mobile phone.

Because they regularly handle money, servicers in particular need to watch for potentially fraudulent financial requests. “You don’t want to send funds via wire just because someone says to [in an email],” Fielder said. “First, you should make a call [to the person who requested the funds] and have a conversation about it. Most borrowers appreciate that because they don’t want anything bad to happen.”