Balancing Security, Innovation in Digital Lending

DALLAS–Data breaches and evolving strategies by bad actors are putting financial institutions under more pressure than ever before.

In the wake of several highly visible data breaches within and outside the mortgage industry, lenders and servicers here at the Mortgage Bankers Association’s Technology Solutions Conference & Expo said they are taking steps to protect not only their customer data, but their own cybersecurity processes.

Donald Schmidt, Deputy CISO with Fannie Mae, Washington, D.C., said a data breach would be “devastating” to his company.

“Companies recover from data breaches–look at Target,” Schmidt said. “But the longer-term issue is transparency. You have to make sure your procedures are transparent, not only internally, but externally.”

Brian Magruder, Senior Vice President with SunTrust Bank, Richmond, Va., said data, particularly consumer data, are a prized asset. “To see just how technology has exploded over the past five years is astonishing,” he said. “The mortgage process now is less about consumers providing us with data but more about how we use those data.”

Magruder said controlling costs is a key consideration, which makes the cloud appealing. “But it also raises security concerns,” he said. “We are migrating one piece of our mortgage originations process at a time to the cloud.”

“You have to practice good ‘cyber-hygiene,” Schmidt said. “And you have to do it right the first time.” And that, he said, involves third-party and even fourth-party risk. “If you have a vendor who doesn’t practice good cyber-hygiene, it can compromise not only your company, but every company you’re involved with.”

The Target breach is a classic example. In 2013 a Target vendor, an HVAC supplier, was attacked in a phishing campaign that opened a door into Target’s systems, allowing the hackers to obtain credit card information on up to 41 million Target customers. The breach damaged the company’s goodwill and led to an $18.5 million settlement with attorneys general in 47 states.

“You and your vendors have to all be in this together, to keep the chains locked,” Schmidt said. “It’s not enough to trust your vendors; you have to trust, but verify.”

Magruder said SunTrust’s challenges come from having customers with multiple accounts. “Security is foundational,” he said. “When we engage with a vendor, they have to come to us with every step they take to ensure their systems are secure. “We work closely with potential vendors to see how they engage in relationships with other vendors and how they deliver their security features,” he said.

Schmidt agreed. “We not only evaluate the potential vendor, but who their third parties are as well, so it’s a fourth-party process,” he said.

Both Fannie Mae and SunTrust have rejected vendors over the past year. “For us, the concern wasn’t necessarily a security concern, but more of an overall management concern,” he said. “We didn’t see this vendor as a good fit with our risk appetite.”

“Every time we try to bring on a new vendor, they undergo a rigorous evaluation process,” Schmidt said. “For one vendor, it was an easy rejection–they were a Russian-based vendor that did not appear to have proper security protocols in place. There was simply too much risk involved for us to move forward.”

Schmidt noted, however, despite increased risks with going with smaller, unproven vendors, they also provide opportunities. “We’ve learned they are more adaptable and willing to make changes,” he said. “Sometimes it’s difficult for a large vendor to pivot and change directions; this is something a smaller vendor has the flexibility to do quickly and easily.”