Cyber Crime: Mortgage Industry ‘Target for the Bad Guys’

SAN DIEGO–Sometimes the biggest threat to your firm’s reputation–and its finances–comes from factors that you cannot see.

“[Hacking] is a relatively profitable crime,” James Deitch, CMB, CEO of Teraverde Financial, said here at the Mortgage Bankers Association’s 102nd Annual Conference and Expo. “Someone can be in the entry-level part that looks to phish and get maybe $10,000 of closing funds re-transferred and work up from there. It exploits the very human weaknesses of curiosity and inquiry.”

Linglong He, Quicken Loans’ chief information officer, said mortgage firms have all the client data that hackers want. “Not just credit card information but asset and property information as well because we’re in the mortgage business,” she said. “And for regulatory reasons we keep that data for many years. So we are a target for the bad guys.”

Fannie Mae vice president and chief information security officer Anthony Johnson said firms need smart processes in place to protect against hackers. “There’s only one thing that can destroy a company overnight and that’s cyber security,” he said.

The Mortgage Bankers Association released a white paper last month titled The Basic Components of an Information Security Program that examines information security risks facing the mortgage industry and basic security practices necessary to mitigate those risks.

The white paper notes that the financial services industry is one of six critical infrastructure sectors in the United States because of the value of its data as a target for criminals and other bad actors. It outlines steps financial services firms can take to mitigate information security risk. 

“A lot of cyber security boils down to a really basic principal,” Johnsonsaid. “Don’t talk to strangers. Most of our lines don’t do business in Eastern Europe, so why should your network talk to them? Turn that off and it takes care of about 85 percent of the threat right there.”

Johnson said firms sometimes overlook another key risk: data transfer with third parties. “It’s a significant risk,” he said, noting that hackers accessed Target’s network by first hacking into Target’s HVAC vendor, which allowed them behind Target’s firewall. “Look at the Sony and the Target hacks: your firm may have a hard shell but you have inherent trust relationships [with your vendors]. You have to apply the same level of scrutiny to them. We use an organization that gives a ‘security credit rating’ to our partners. That helps us to find a level of due diligence.”

He agreed. “That should be integrated into your overall third-party and risk management process,” she said. “Because of greater awareness regarding cyber security people are reporting everything. I think the bad guys are much more mature then they used to be. We are getting much more mature to counter that.”