#MBAIMB20: ‘Speeches about Breaches’–Security Risks in the IMB Backyard

(l-r) Susan Stewart, Thomas Delaney, JT Gaietto, Corey Harris and Alex Nunez.

NEW ORLEANS—Data breaches aren’t going away. For independent mortgage banks and other financial institutions, the likelihood of being hacked is more likely “when,” not “if.”

“If you haven’t developed a cybersecurity strategy for your company, you should,” said Susan Stewart, MBA 2020 Chair-Elect and CEO of SWBC Mortgage, San Antonio, speaking here at the Mortgage Bankers Association’s Independent Mortgage Bankers Conference.

JT Gaietto, Executive Director of Cybersecurity Services with Richey May Technology Solutions, Englewood, Colo., said the ultimate goal of cybersecurity attackers is disruption. “They want to shut down your business; they want to create a sense of urgency and they want you to give them money,” he said.

Corey Harris, Cyber Security Special Agent with the Federal Bureau of Investigation’s New Orleans office, said those efforts are succeeding. He said his office sees frequent incidents of ransomware, in which a cybercriminal targets a business with malware, then demand money to dismantle it. “A lot of victims don’t like to publicize what happened,” he said. “The issue is far more prevalent than perceived.”

Thomas Delaney, President of Bankers Insurance Service, Chicago, said ransomware incidents increased by more than one-third just in the fourth quarter and is now the single-biggest factor in companies’ insurance rate increases. “It not only speaks to the frequency of ransomware incidents, but also the severity,” he said.

Harris said the FBI does not condone paying out ransomware demands. “Who are you paying out to? You don’t know that,” he said. “You could be providing funds to a terrorist organization. You could be helping them strengthen their own infrastructure.”

Delaney mildly disagreed, saying it’s a business-by-business decision. “If you’re the owner of an independent mortgage bank and you get subjected to a ransomware attack and it starts to seriously compromise your business, you have to do what’s best for your company,” he said. “Your employees are depending on the mortgage pipeline and want a paycheck. If your insurance company says ‘pay the ransom,’ then pay the ransom.”

Harris noted more than 60 government agencies in Louisiana alone have been subjected to ransomware attacks. “We try to bring awareness to agencies throughout the state and tell them one thing they need to do is have an incident response plan in place,” he said.

Timing is also important, Harris said. “We find that when a ransomware attack takes place, oftentimes an organization waits as long as a week before disclosing that,” he said. “We can’t be much help after that. If you contact us right away, we might be able to take steps to try to shut down the attack. You can’t do that without a detailed incident response plan in place.”

And even if the issue is resolved, Harris noted, it isn’t. “You don’t know if they created a back door, so they can repeat the process in six months,” he said.

Gaietto said independent mortgage banks can be particularly vulnerable. “Cybercriminals would much rather go after a smaller organization that doesn’t have the financial backing or resources of a larger financial institution,” he said.

Delaney agreed, noting that cyber attacks aren’t about Ocean’s Eleven. “The cybercriminals are not going to target the large casino with the ‘eye in the sky’ and huge security operation,” he said. “It speaks to having a strong ransomware policy in place.”

Cybercriminals use other methods as well, Gaietto noted. “Email was never designed to be a secure form of communication,” he said. “Because of that, we almost take email at face value, and cybercriminals love to take advantage of that.” He said it’s easy for a cybercriminal to “take over” a particular an email account to infiltrate a company.

“When you use the same password for multiple sites, it makes it very easy for the cybercriminal to compromise multiple systems,” Gaietto said. “That’s why multi-factor authentication is so important to have in place.”

Alex Nunez, Senior Cybersecurity Policy Advisor with Upguard, Mountain View, Calif., said these activities can have a cascading effect. “Unfortunately, much of these data are easily accessible over the internet,” he said. “What I see is a strong need to monitor the public Web; additionally, there is often the case where your own organization or vendor leaks information and puts your data at risk.”

Nunez said the problem is “omnipresent.”

“It comes down to how good your protection is,” he added. “You need to have something in place to detect these behaviors. Criminals are people, too, and they can be predictable. You have to have parameters in place that can detect these patterns.”

The best deterrent to cybercriminal activities is “making your employees your front line of defense,” Gaietto said. “You have to have structured training on a 12-month cycle; you should be testing for phishing. If you have 1,000 employees, and 10 percent click on a phishing email, that’s a lousy percentage.”

Delaney agreed. “You’re not going to be able to even get a cybersecurity insurance quote unless you can demonstrate you already have some procedures in place,” he said.

Nunez noted third-party contractors provide particular risk to organizations. “There are a lot of reputations at stake here,” he said. “Not only do you have to protect your own reputation, but you have to have third-party partners that have the same commitment. Your customer is not going to care where the security breach came from, only that it happened–and you are responsible.”

Delaney agreed. “From an insurance perspective, if your third-party vendor has a security breach, who is the customer going to sue?” he said.

“Think about your own shop,” Gaietto said. “Think of all the title companies you work with that do not have a security program in place that is on a par with the GSEs or larger institutions. You have to be diligent with your entire supply chain.”

Harris said the simplest preventive measure is to have a back-up in place. “It might take a while to recover, but you’ll have it,” he said. “And make sure it’s not connected to your network.”

“And you have to test that backup,” Gaietto said. “You have to know that you’re capturing everything to make sure they are functional. It’s like having a spare tire in your trunk—you might never use it, but if you do need it, it needs to be ready to use.”