Digitizing the Mortgage Industry Requires Increased Cybersecurity

Mortgage leaders are wary of the increasing cybersecurity risks pervading with the industry's digital migration, yet many admit they aren't taking the necessary precautions, according to a recent Arizent study. 

They are most concerned about what consumers are doing on their phones, and who they're granting access to data to, according to the Arizent survey. Yet only about half of those same respondents said they're testing their own IT infrastructure's cybersecurity, a glaring oversight at a time when fraud costs lenders more than four times their dollar amount lost. 

"So many people in the industry don't think that they're susceptible, either because of their size, or because they outsource everything, or it's not something they've thought about," said JT Gaietto, chief security officer at Digital Silence. "So I'm surprised you even got half and your respondents to say that they've thought about it." 

The mortgage industry is more exposed to fraud than banks and other financial services, according to a LexisNexis Risk Solutions report. Threats occur at every step of the mortgage process, with losses coming from account creation and login to funds distribution. Acquiring housing through fraudulent activity was involved in five of their top six threats. 

The mortgage industry's exposure to fraud has risen significantly since the onset of the coronavirus pandemic. Every dollar of fraud loss cost lenders $4.40 in fines, legal fees, labor and related recovery expenses through the first three quarters of 2021, nearly a dollar greater than pre-pandemic losses, according to the LexisNexis report. Firms also reported a 2021 monthly average of 1,431 fraud attempts - they prevented 62% of the attacks but the volume remains above pre-pandemic levels. 

Mortgage and banking respondents reported to Arizent better penetration testing than insurance carriers and wealth management: 54% said their organization practices periodic data breach simulations, while 47% said their firms routinely attempt to hack into their own IT infrastructure with or without a third-party expert. Mortgage firms not only need to improve precautionary measures, they may be forced to by their cyber insurance carriers, said Garry Woods, executive director of governance, risk, compliance and policy for cybersecurity firm Richey May. 

"For a lot of organizations you'll see a plan to bring those best services activities, it's going to help minimize the increase annually of cybersecurity insurance," Woods said. "I think you're going to see that number over the next three years increase significantly." 

Companies are increasingly adopting digital business tools but the technology isn't giving everyone greater peace of mind. Sixty-five percent of leaders told Arizent faster payments and money transfers have increased the cybersecurity risks for their firms. In a further breakdown, 50% of banking and mortgage respondents told Arizent mobile device use is increasing their cybersecurity risk profile, while 41% said increasing third-party access to data as directed by consumers is increasing vulnerability. 

Most mortgage firms aren't building their own mobile platforms and buying other popular products, Gaietto said. That makes them more at risk to threats like the Apache Software Foundation Log4j security vulnerability discovered in December, whose effects have yet to be determined. 

"A lot of our mortgage and financial institution customers are really concerned about that because it's very ubiquitous and it can impair their entire lending platform," he said. "If their software is not up to date, you know, threat actors can then take down their manufacturing processes, and that's obviously extremely costly." 

Of banking and mortgage leaders, 49% identified spear phishing, fraudsters' attempts to deceive mortgagors through email for wire fraud, as one of their greatest cybersecurity threats. Woods identified spear phishing as the mortgage industry's most common attack and also described a jump in bot attacks for companies that allow online loan applications - a threat just 31% of Arizent respondents said posed a greater risk in the near future. 

Insider threats in the form of internal employees taking proprietary information and leaving the company are another concerning trend, Gaietto said. Of Arizent banking and mortgage respondents, 51% identified data breaches as one of their greatest concerns moving forward. Gaeitto predicted the threat would persist through 2023 as margins diminish with increasing rates.

This article was written by Andrew Martinez from National Mortgage News and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to legal@industrydive.com.