Cybersecurity Panelists Talk Trends, AI, Best Practices

(From left: Brett Adams, Beverly Henshaw and Michael Nouguier)

NEW ORLEANS–“I guarantee we’re going to scare some people. And if you’re not scared when we leave, you weren’t paying attention,” promised Brett Adams, Senior Vice President & Managing Director, Servicing, Berkadia, on a panel about guarding against cybercrime May 20.

The panel, at the Mortgage Bankers Association Commercial/Multifamily Finance Servicing and Technology Conference, offered insights on trends in cybercrime, as well as some tips and recommendations to combat it.

On the macro and global level, third-party risk, ransomware and business email compromise, such as phishing, are posing a large concern, said Michael Nouguier, Chief Information Security Officer for Richey May, Englewood, Colo.

“We do know that nation-state activity is increasing,” said Beverly Henshaw, a Cybersecurity Advisor for the Department of Homeland Security. “And they are definitely targeting the financial sector, along with energy, water, wastewater and transportation.”

Artificial Intelligence may be one of the hottest trends around–and that now includes cybercrime, Nouguier noted.

He recalled that he used to train his staff to look for things like typos, or communications that don’t really make sense–tells that could reveal when an email came from a nation-state actor or someone without knowledge of the industry.

Nouguier noted that with the introduction of tools such as Chat GPT, bad actors can write emails that are harder to spot as malicious.

“On top of that, you can actually use AI to write malicious code for you, as long as you are prompting it correctly,” he said.

And, Henshaw noted, these types of crimes can happen to any company–big or small.

So, what can companies do to protect themselves?

As of right now, most cybercrime does involve a “human element” the panelists said. Whether it’s a phone call, text message, email or even in-person interaction, the majority of cybercrime begins with something an individual does, often accidentally or unknowingly.

Nouguier cited the Verizon 2024 Data Breach Investigations Report, highlighting the finding that it takes a person, on average, 21 seconds to click a link after opening a phishing email, and then just another 28 seconds to provide the (maliciously) requested information.

“In under a minute, your organization is impacted and breached,” Nouguier said.   

“So when you are considering investment in cybersecurity, one key area to focus is training the human element,” Nouguier said. He recommended consistent training, not just a session once a year.

He also recommended utilizing various kinds of technology to guard against attacks, such as programs that can help block phishing emails before they reach that human element.

Henshaw noted that there are plentiful government resources to help companies plan ahead and identify vulnerabilities.

One is the Cybersecurity and Infrastructure Security Agency, part of DHS. Similarly, Nouguier recommended pursuing a relationship with a company’s local FBI office in case some sort of breach does happen–particularly if it’s extortion-based.

Additionally, companies need to prepare for the chance that they, at some point, may experience an incident.

One good thing to do is identify a cybersecurity leader, Henshaw said, who can help develop an incident response plan and drive incident management. A cybersecurity budget, to provide needed tools and solutions, is also important, Henshaw said, and she further recommended an assessment to determine weaknesses.

Nouguier likened a cybersecurity incident to running a marathon. It would be very hard to just get up and run 26.2 miles one day–you need to practice and train.

He listed tabletop exercises, which allow companies to run through various scenarios and test an incident response plan, as a good way to do that. For example, it may expose vulnerabilities companies haven’t thought of–like how to contact each other, or clients, if they’re locked out of vital software.

Adams inquired specifically about preventing wire fraud and breaches of personal identifiable information–concerns particularly relevant to servicers.

For wire fraud, Nouguier recommended making sure you have a procedure that includes some sort of verification or double-checking.

As for protecting PII, Henshaw recommend making sure vital data is encrypted, and being realistic about who in your company needs access to it.

Nouguier also noted the importance of being cognizant of the flow of data and information–like what needs to be stored and for how long.

Third-party breaches–such as vendors–are also a big concern for the servicing industry specifically.

“The due diligence that you have as an organization to protect your client base really needs to be pushed onto your third-party vendors as well, making sure that you’re requiring stringent cybersecurity controls,” Nouguier said. “It’s a hassle from a procurement and vendor management perspective. But it’s more of a hassle when that third-party vendor has been breached and you are the one that has to notify your clients.”