Nexval’s Souren Sarkar on Bolstering Cyber Defenses in Mortgage Technology

Souren Sarkar, CMB, is the president and co-founder of Nexval, a technology company specializing in mortgage automation processes and IT infrastructure upgrades, located in Miami. Souren has over 25 years of experience as a technology leader in the mortgage and banking arena and is an expert at improving the performance and scalability of service-driven businesses using workflow automation. He can be reached at

Souren Sarkar

When it comes to technology, today’s mortgage companies find themselves at a very interesting crossroads. On one hand, tech innovation in our industry is at a peak, with generative AI, machine learning and process automation setting new standards of efficiency for all stakeholders. On the other hand, the entire financial services industry is becoming increasingly vulnerable to cyberattacks—which threaten to undo all the technological progress a company has made.

The financial toll of data breaches continues to grow, too. According to IBM Security’s latest “Cost of a Data Breach Report,” the average cost of a data breach in the financial industry stood at $5.9 million in 2023. With mortgage companies responsible for an enormous amount of consumer data, the urgency for a robust cybersecurity strategy cannot be overstated. Fortunately, there are a number of valuable steps companies can take to thwart potential attacks, which can be broken down into three strategies.

Fortifying the Front Lines

Inside and outside of work, we’re constantly being told to change our passwords. But being human, we rarely follow this advice. A better approach is for companies to use temporary passwords for their systems that expire after a certain period of time, which minimizes the chances of someone exploiting an outdated password to gain access to sensitive data. Passwords should also be cryptographically generated using intricate algorithms that create random, distinct character sequences. This helps thwart brute-force attacks and makes it impossible for cyber intruders to predict or decode passwords, no matter how relentlessly they try.

Biometric systems, like fingerprint or facial scanning, add another security layer by confirming a user’s distinct physical traits before authorizing them to access systems and software. So too does multi-device authentication, which requires users to validate their identity on both their main device, such as a laptop, and an additional device, like their phone. Equally important is the practice of regularly examining user login records, which enables companies to spot possible weak links in system access and act quickly to reinforce them.

Finally, consider implementing controls that limit system access based on individual staff roles using the “principle of least privilege.” In other words, your staff should have only the minimum level of access they need to perform their duties. For example, a member of your sales team should have access to their customer’s information, but they probably don’t need access to their colleagues’ customer data or administrator-level access to other databases. Limiting system access in this fashion minimizes the potential damage from a cyberattack, data breach or user error.

Consolidating and Securing Infrastructure

Many mortgage companies use multiple systems for their operations, yet these systems are often not properly integrated, which means they have multiple access points. Having poorly integrated systems not only reduces efficiency, but it’s also like having a house with many doors leading outside—it gives the “bad guys” too many options. A better strategy is to integrate your mortgage technology into one cohesive platform and reduce the number of entry points, thereby lowering the likelihood of cyberattacks. A consolidated and flexible system structure makes it easier to manage cybersecurity measures, too.

Second, consider transitioning your systems and data storage to a secure cloud environment, which enables you to take advantage of the most updated security protocols. Most cloud service providers dedicate significant resources to cybersecurity by regularly enhancing their systems with new data encryption techniques, incorporating routine backups, and regularly releasing software updates. A cloud-based infrastructure creates a safe haven for your systems and data, ensuring your operations are continually protected against new threats.

Another crucial step is to evaluate or re-evaluate your external vendors and software providers. The focus here is to eliminate any weak links by confirming your outsourcing partners employ the most stringent cybersecurity measures and follow best practices. For instance, do you know whether your business partners have validated controls that meet ISO 27001 or SOC 2 standards? If so, they are likely to conduct regular audits and scrutinize every aspect of their security protocols, which helps your company mitigate any risks that could be introduced through external sources.

Lastly, it’s no secret that many industries, including ours, have embraced remote work to increase efficiency and give employees more of their time back. The problem? This often leads to confidential data being sent over public networks, which increases the risk of cybersecurity threats. If you have staff working remotely, make sure to use virtual private networks, or VPNs, which encrypt data that may be sent over public networks. By establishing secure connections between whatever devices an employee uses and your company network, the chances of sensitive data getting into the wrong hands goes down dramatically.

Cultivating a Security Culture

Once you have fortified your front line defenses and infrastructure and reduced the chances of hackers accessing your data, the battle is already half won. Now it’s time to make sure everything stays safe by establishing a culture of hypervigilance. The question is how.

The first and most obvious step is education. Your employees need ongoing cybersecurity training so they can more easily detect common hacking strategies such as phishing scams. They should also understand the importance of not disclosing personal or financial information through email or by telephone without proper verification. Creating an environment where employees are constantly learning about new hacking schemes and are quick to report any suspicious activities is crucial.

Similarly, borrowers also need education and guidance about how to identify phishing attempts and other suspicious activity. They should know not to click on dubious links, download files from unknown senders or share personal details over insecure channels. In fact, before starting the loan process with a new customer, you should provide clear instructions on how communications will take place and reiterate this information on your website and other online channels.

Another important measure to ensure sensitive data is truly protected is to collaborate with penetration testers and ethical hackers that specialize in pinpointing weak spots in your systems and evaluating how well they stand up to cyberthreats. Using the same skills that real cybercriminals use, ethical hackers mimic actual attacks on your systems, thus revealing any security gaps you may have missed or probably never considered. While these methods are not highly used among mortgage companies, they are incredibly valuable at identifying the true risks in your technology framework.

Of course, hackers are constantly refining their own methods and finding new loopholes to exploit. For that reason, cyber insurance, or cyber liability insurance, is a must-have in today’s environment. This type of insurance covers various expenses associated with cyberattacks, including legal costs and the costs of notifying and compensating affected parties. Simply having cyber insurance shows that you’re taking these risks seriously, which can enhance trust among your business partners and customers.

The bottom line is that the best cybersecurity strategies are multi-faceted. And while the above measures may sound complicated, with the right partnerships, they are actually much easier to implement than one might think. But it’s worthwhile to remember that, when it comes cybersecurity, the real enemy isn’t the hacker trying to steal your customer’s data – it’s complacency. And with the frequency of data breaches continuing to rise, there’s no better time to face your enemy than now.

(Views expressed in this article do not necessarily reflect policies of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Editor Michael Tucker or Editorial Manager Anneliese Mahoney.)