DLS Servicing’s Donna Schmidt: Be Prepared for a Data Breach at Your Servicing Platform Provider

Donna Schmidt is managing director and founder of DLS Servicing, a provider of default servicing consulting services, training and technology for mortgage servicers. A seasoned servicing professional with four decades of industry leadership, Donna is an authority on loss mitigation compliance. She is also the co-founder of WaterfallCalc, an online loss mitigation decision and calculation tool that enables services to streamline loss mitigation calculations while ensuring investor and regulatory compliance.

MBA NEWSLINK: Are there recent events involving non-servicers that have faced cyberattacks impacting servicers?

DONNA SCHMIDT: There have been a number of significant cyberattacks on non-servicers that impacted actual servicers. When key servicing partners like title companies are compromised, it not only hampers their direct operations, but also affects the servicers that rely on them for critical operations. In fact, just recently, two major data providers revealed their systems had been compromised, causing disruptions to their businesses. In both cases, the mortgage servicers that rely on these companies for a variety of services were left in the lurch.

NEWSLINK: What happens after a data breach?

SCHMIDT: Typically, everything comes to a standstill. Depending on who or what was impacted by the breach, servicers might be unable to do the most basic functions. This means that payments cannot be processed, property records cannot be monitored and investors cannot receive their income.

Any loss mitigation activity comes to a grinding halt as well. Even if the servicer’s own systems are protected, a data breach experienced by a servicer’s partner can be devastating for a borrower who was waiting for a loan modification or other assistance to keep from losing their home.

Basically, a data breach affecting one party in the servicing chain can have a domino effect that disrupts every other stakeholder.

NEWSLINK: What is the risk for mortgage servicers after a data breach at the servicing system provider?

SCHMIDT: Keep in mind, servicers must meet very strict regulatory and agency loss mitigation deadlines. If an outage prevents the servicer from responding to a distressed borrower who is working through their loss mitigation options, those deadlines could be be missed, which can expose the servicer to potential penalties and reputational damage.

This can have long-term ramifications as well, including increased attention from regulators and lawsuits. But most importantly, system data breaches can delay the relief options borrowers desperately need. This results in a loss of trust, which is absolutely critical for ensuring the best default outcomes.

NEWSLINK: How are servicing operations disrupted by cyber events?

SCHMIDT: The loss of servicing functionality due to a data breach has a cascading impact on servicing operations. Borrowers who need urgent help suddenly find themselves in a holding pattern, which could worsen their financial situation. In addition, servicers may not be able to receive alerts about new liens on the borrower’s property or delinquent property taxes.

Equally damaging is the interruption of routine yet essential servicing operations, such as processing and posting payments, which can result in potential late fees for borrowers and skewed accounts. During the time a servicer’s system or partner is down, the backlog of tasks continues to grow, which creates additional pressure on the servicer once everything is back online.

Investors are directly affected, too, as they may stop receiving their income from mortgage payments. This can strain a servicer’s relationships, especially if it leads to financial losses or breach of contract issues.

NEWSLINK: Is the loss of a servicing system during periods of disruption just a cost of doing business?

SCHMIDT: One might think so, given the recent headlines. But the notion that these disruptions are merely a cost of doing business is a dangerous and inaccurate assumption. Truthfully, there is no reason why loss mitigation activities cannot continue unobstructed even when a servicer or one of their partners encounters a serious data breach.

The key is for servicers to look more closely at redundancy of their operations. By simply diversifying vendors and technology partners, servicers can easily mitigate the risks involved with relying on a single service provider.

More than once in my career, I’ve seen servicers that were dependent on a single property preservation company experience a crisis when the company went out of business. That’s why, when I worked as a default manager, I always made sure to have a backup property preservation firm in place. Servicers today should be taking the same approach with their system providers and business partners. When a data breach or other type of emergency occurs, this strategy allows them to swiftly shift operations to backup systems and providers, so they can avoid any disruption to their services.

NEWSLINK: How can servicers avoid some of the pitfalls from such events?

SCHMIDT: Navigating cyberattacks requires a multi-faceted approach. For example, servicers need to properly authenticate their third parties, which is primarily a training issue. And a servicer’s team must be educated about suspicious communications and interactions that pose a threat to the company and their borrowers. However, in today’s world of remote workers, it can be difficult to keep everyone informed on cybersecurity best practices.

Servicers should also have robust, multi-layered cybersecurity protocols in place and constantly update them to counter new and evolving threats. This includes regularly scheduled cybersecurity audits and testing to identify vulnerabilities in a servicer’s operations and systems.

The bottom line is that cyberattacks are only likely to grow in number and severity, which means servicers need to think and plan ahead.

(Views expressed in this article do not necessarily reflect policies of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Editor Michael Tucker or Editorial Manager Anneliese Mahoney.)