#MBAServicing2020: Ransomware and Cybersecurity—Understanding the Threats

ORLANDO—Rick Hill, Vice President of Industry Technology with the Mortgage Bankers Association, worries about the vulnerability of the mortgage industry.

“Our industry technology does a great deal of good, but it’s also very vulnerable,” Hill said here at the MBA Servicing Solutions Conference & Expo. “And there are a lot of bad guys out there who want to disrupt it. And it’s critical that we collaborate to prevent the bad guys from succeeding.”

Evan Bredahl, Cybersecurity Engineer with Richey May & Co. LLP, Denver, said ransomware—in which in which a cybercriminal targets a business with malware, then demand money to dismantle it—has become increasingly prevalent worldwide. “It speaks to the vulnerability of our systems that you’ve seen businesses and even governments brought to their knees because of a criminal that’s infiltrated their systems,” he said.

(l-r) Panelists Rick Hill, Evan Bredahl, Thomas Clerici and Gretchan Francis at the MBA Servicing Solutions Conference.

“When you look at the ransomware threat specifically, it wasn’t much of an issue even 15 years ago,” said Thomas Clerici, Chief Technology Officer and Chief Information Security Officer with Freedom Mortgage Corp., Mt. Laurel, N.J. “And now it’s more prevalent, but so many business people have become numb to it—they don’t think it’s going to happen to them. Only when a ransomware criminal has brought your operations to a standstill do they suddenly care about it.”

Gretchan Francis, Vice President of Specialty Line Sales with Proctor Financial, said the financial services industry is at “tremendous risk” for ransomware and other cyberattacks, in part because of the industry’s extensive use of email. “It invites all kinds of security risks,” she said. “And there are ramifications that go well beyond paying a ransom.”

Clerici said the problem is much more prevalent than news reports would suggest. “No one wants to admit they’ve been victimized,” he said.

“That’s because a ransomware attack is a public relations nightmare,” Francis said.

“One of the problems with ransomware is that you can no longer access your systems,” Bredahl said. “And if you can’t support or respond to your customers as a mortgage servicer, it can put you out of business.”

Clerici agreed. “It becomes not just an IT problem, but an operational problem,” he said.

Even worse, Bredahl said, is that the nature of ransomware attacks is that a business is not aware of the issue until the problem presents itself. “They don’t want you to know they’re tampering with your system until they’re already in and have infected your systems,” he said.

“And by then,” Clerici said, “it’s panic time.”

Francis noted the “average” time down for a ransomware attack is 16 days. “For ransomware criminals, it’s a pretty good success rate,” she said. “After the first week, most companies are ready to pay the ransom.”

So, what to do? More importantly, what to do ahead of time?

Bredahl strongly encouraged companies subject to ransomware attacks immediately contact the FBI. “They have resources to investigate,” he said. “And they might be able to offer you solutions.”

Clerici agreed, although he cautioned that victims should measure their expectations first. “If you think the FBI is going to come in a save the day, you’re going to be sorely disappointed,” he said. “You can report, but you can’t rely on them to solve your problem.”

Another practical step, Francis said, is to contact the insurance company—assuming the company has insurance for this type of attack. “Let your insurance company negotiate with the attackers,” she said. “Because if they can negotiate, they can end up paying less if it comes down to the decision that paying a ransom is the best step for that situation.”

There is good news: there are preventive measures that can be taken. “Prevention is critical,” Bredahl said. “When you assume the mentality that cybersecurity attacks will take place—not an ‘if’—then simple security steps can go a long way.”

Bredahl said staff training is essential. “When you have an industry that is so dependent on email like the mortgage industry, it makes staff training so essential,” he said. “More than half of all cybersecurity attacks last year originated in an email-based system. If you can train your staff to effectively identify potential cyberattacks, then you’ve taken a big step.”

Francis noted companies must also strengthen their relationships with third-party providers. “That can be an entry point for malware attacks,” she said. “You need to know what systems your third-party provider use so that you can respond accordingly.”

“The landscape is going to continue to change,” Bredahl said. “You need to stay ahead of this issue.”