#MBASecondary22: Cyber Crimes: How to Protect Your Company

(l-r) Jason Doshi, Marianne Bailey and Rick Hill at the recent MBA National Secondary and Capital Markets Conference & Expo in New York.

NEW YORK—With fraud, data hacks and ransomware on the rise, cyber crime is a more visible threat to financial services companies.

In recent months, several mortgage firms have disclosed cyberattacks. For example, American Financial Resources, Parsippany, N.J., in March reported an earlier data breach, affecting data such as Social Security numbers of 216,645 borrowers. Since the breach—which cost AFR an estimated $885 million—AFR implemented additional security response measures, but still faces potential legal liability amid several investigations.

Cybercrime cost $6 trillion in damages in 2021, according to Marianne Bailey, Cybersecurity Leader with Guidehouse Inc., McLean, Va. That figure is expected to grow by 15% per year over the next five years to nearly $11 trillion by 2025.

“Cybercrimes are vastly undercounted,” Bailey said here at the MBA National Secondary and Capital Markets Conference & Expo. “Some estimates suggest as few as 10 percent of cybercrimes are actually reported. Companies don’t want you to know that they’ve been attacked.”

“The reasons criminals like real estate transactions are because of the infrequency of the transaction, the many moving parts and the volume of the transaction,” said Jason Doshi, CEO and Co-Founder of paymints.io, Charlotte, N.C.

Ransomware attacks are also on the rise; Guidehouse estimates ransomware attacks will costs companies more than $21 billion this year.

Doshi noted the Cloudstar ransomware hack last year touched every part of the real estate transaction. “It delayed closings and put certain title agencies out of business because they could not complete transactions,” he said. “The scope of the issue is pretty dramatic.”

Resolving ransomware attacks doesn’t necessary “resolve” the issue, Bailey said. “Paying a ransom can often result in another attack almost immediately,” she said. “There are so many moving parts in the real estate transaction—nearly every bit is vulnerable.”

Where does all that money go? “A lot of nation-states back cyber-criminals,” Bailey said. “You have to worry about the kid with the hoodie, but you also have to worry about organized cyber-crime. They can use the digital world we live in to not only steal money, but shape debates.”

Case in point: the destabilized situation in Russia and Ukraine. “The Russians have the ability to disrupt—there has been a low-level cyber-war for decades,” Bailey said. “They know a lot of companies better than the companies know themselves. They’re in it for the money right now, but if they wanted to, they could actively disrupt infrastructure. Imagine New York City going through a winter without heat—it could happen.”

“When you look at the volume of real estate transactions that take place in the U.S., and the volume of money moving through the system, it is difficult to hack that system, but it can be done,” Doshi said. “There are organizations out there studying transactions—they are not the kids in the basement wearing the hoodie—it’s a sophisticated, organized effort capable of moving millions of dollars at a time.”

“We live in a very open country,” Bailey said. “It’s very easy to get information and data, and the next thing you know, you have trouble.” She said “phishing” scams—in which a cybercriminal mimics a company or service email to trick users into providing information—have become increasingly sophisticated, with the goal of getting someone at a company—often a high-level executive—to open the email and expose company data.

Bailey described one phishing expedition in which an employee received a supposedly urgent message from the company CEO asking for information “ASAP.” Everything looked legitimate–however, the message concluded with the signature, “cheers!”—a phrase the employee knew the CEO would never use. The employee flagged the email and avoided subjecting the company to a potential cyberattack.

Doshi said mortgage companies—which, during the coronavirus pandemic, hired thousands of new employees—can be particularly vulnerable. “A new employee might not know that the CEO doesn’t say ‘cheers,’” he said.

So, how can companies prevent cybercrimes?

“Training employees is critical, but it’s not the only answer,” Doshi said. “The mortgage transaction is largely a manual transaction and is not yet at a scale where technology can replace manual processes. Fortunately, there are a lot of technology out there that can supplement training.”

“You need a cyber-resilience program,” Bailey said. “You have to identify the processes that are most important to you and identify ways to protect those processes.”

Patches, for example, should be applied across 100 percent of a businesses’ processes. “It’s not enough to say, ‘we are 87 percent patched,’” Bailey said, “because that still leaves your systems vulnerable and provides criminals with a roadmap to your entire business. It’s critical that patches be understood, and implemented properly.”

“I’ve had people tell me, ‘I don’t have to worry about cybersecurity, everything is in the cloud,’” Bailey added. “That’s ridiculous—it’s still out there and it’s still vulnerable.”

Is blockchain an answer? “It’s ideal for keeping a record of chain of title on a property,” Doshi said. “From a security perspective, it checks the box for security. It’s going to be tough from a transitional standpoint, because you have to establish who is the caretaker of truth. It’s definitely a part of the future, but I don’t know when it will achieve broad adaption.”

“We’re moving toward that, but it’s still going to take time, but the ecosystem has to be all-encompassing,” Bailey said. ‘It is definitely the wave of the future.”

“Blockchain was the technology that was supposed to change everything a few years ago,” noted Rick Hill, MBA Vice President of Industry Technology. “In some ways, we’ve made progress in that we’ve established some starting points in which they don’t necessarily have to have everyone participating.” From a security standpoint, he said, “the data can’t be manipulated, necessarily, but some elements of transactions remain vulnerable.”

“We have to be constantly diligent,” Bailey said. “It’s not just any one thing; it’s everything.”

****

Freddy Feliz, CIO and Vice President of Information Technology with MBA, said MBA members can take simple, effective steps to protect their companies from cyber-attacks.

These steps include proper use of multi-factor authentication and identity management; securing integrations with third party vendors (i.e. Web APIs); monitoring third-party libraries (particularly open-source libraries); and engaging in timely patch management, advanced threat management/response, restricting or limiting systems access (i.e. Zero Trust model) and ongoing test/validation of security controls could help reduce the attack vectors that bad actor are utilizing significantly.

“We are definitely hearing about successful intrusions into mortgage firms,” Feliz said. “We can probably assume there are others that have not been disclosed, or even discovered. This would be a great time for everyone in mortgage to be vigilant.  Companies, if they have not already done so, might want to provide updated training to their staff, because humans are often the weak point in cyber-attacks.”

MBA offer a resource for small and midsize organizations to help focus on the most critical items https://www.mba.org/industry-resources/technology-resource-center/cybersecurity.

Additionally, in March, MBA Education held a webinar, Ukrainian Situation – Cybersecurity Implications for Your Organization. A recording of that webinar can be found here.