MBA Releases White Paper on Information Security

DALLAS–The Mortgage Bankers Association released a white paper that discusses information security risks facing the mortgage industry and basic security practices necessary to help mitigate risks.  

The report, The Basic Components of an Information Security Program (, was authored by members of the MBA Residential Technology Forum Information Security Workgroup. The paper is intended to assist small and medium-sized entities that might need help in understanding and managing security risk.  It was released here at the MBA Risk Management, Quality Assurance & Fraud Prevention Forum.

“We realized that smaller firms might not have enough resources or expertise to keep abreast of the rapidly changing risks” said Shawn Malone, vice president of business compliance with Radian Group, Philadelphia, and chair of the MBA Information Security Workgroup.  “Our Workgroup identified a need for a security guide that non-technical individuals could use to help improve the security of their organization.”  

The paper highlights critical areas of focus.   

“The industry acquires various forms of non-public information from consumers in order to provide financial services, and maintains sensitive contracts, business secrets and other information. The existence of all this information makes it a target for bad actors,” the white paper said. “As a result of its economic importance and the sensitive information it creates and stores, the financial services industry has been designated as one of the six critical infrastructure sectors in the United States.”  

This designation, the paper noted, means that in addition to the existing regulatory oversight, several additional government agencies monitor the risks to the industry while also working closely with the industry to identify new threats as well as new practices to protect it. “For industry participants, this means additional resources to assist with managing security issues,” the paper said. “It also means that federal and state agencies are issuing regulations and guidelines to be followed. It can be difficult to keep current with the various edicts that may come from multiple sources, and for many smaller entities it can be overwhelming. The volume of guidance may create paralysis for small players, resulting in minimal or no action on their part.”  

“A risk-based approach is the most effective way to understand and implement an effective information security program” said Robb Reck, chief information security officer with Pulte Mortgage, Englewood, Colo., and vice chair of the Information Security Workgroup. “This paper identifies those critical risks and offers suggestions for how to mitigate them. Our hope is that by providing this information, companies are able to more rapidly mature their security practices.”  

The white paper outlines practical steps that MBA members can take to mitigate information security risk, including a recommendation that all institutions have in place an information security program and a regular self-assessment of such a program.  

“MBA continues to increase the breadth and depth of information security resources available to our industry” said Rick Hill, MBA vice president for information technology. “In addition to this paper, MBA has conducted multiple webinars on various security topics, with more on the way. We also have added security-related sessions at many of our conferences, including Risk Management and the MBA Annual Convention.”  

Hll said chief executives, board members, risk managers and everyone across the organization are part of managing risk. “Individuals in these roles should note that regulators are expecting their involvement in the development and oversight of corporate risk management programs,” he said. “MBA expects development of these resources will help companies navigate through the security risks facing our industry.”