PERSON OF THE WEEK: The mortgage industry has been hit hard by cybersecurity incidents in recent months, causing alarm among both lenders and servicers. To learn more about why these incidents are on the rise, the impact they are having, and what mortgage companies can do to mitigate the risk, MortgageOrb recently interviewed Donna Schmidt, managing director, DLS Servicing.
Q: What recent data breach incidents involved mortgage servicers, and what was the impact?
Schmidt: Lately, it seems a large player in the servicing industry is getting hit by a data breach every couple of weeks. In fact, loanDepot, Mr. Cooper and LoanCare each disclosed data breaches over the past three months, and all three entities and their customers were directly impacted. These incidents were not isolated, but indicative of a broader pattern of cybersecurity threats targeting the financial sector and the sensitive customer data that financial services companies are supposed to protect.
When a servicer falls victim to a cyberattack, the impact extends beyond any immediate disruption. The exposure of borrowers’ personal and financial information can lead to identity theft and fraud. The rash of data breaches in our industry also disrupts core operations that keep the wheels of the mortgage industry turning. Payment processing, investor reporting, and the ability to carry out loss mitigation activities all come to a grinding halt, leaving servicers scrambling to manage the fallout for weeks or even months.
Q: How are data breaches even possible at large financial services organizations?
Schmidt: Even if a financial services company has advanced security measures in place, data breaches can still occur. Oftentimes, these events are self-inflicted. For instance, somebody at the organization may accidentally authorize access to sensitive data to a third party without the proper verification.
But the major reason data breaches happen is that the financial incentive for cybercriminals is enormous. Sensitive consumer data can fetch high prices on the black market, so perpetrators are highly incentivized to access that data. They will probe tirelessly for any vulnerability they can exploit. The only way financial services companies can protect themselves is by preparing for them ahead of time by making sure they have strong security protocols in place as well as backup systems ready in case they need them.
Q: What is the risk to the consumer after such an incident?
Schmidt: When a data breach occurs, the biggest risk to consumers is the potential exposure of their personal data, which can lead to all sorts of problems. When a borrower’s personal information has been compromised, such as their social security number and home address, they face the risk of someone stealing their identity and making fraudulent financial transactions in their name. This can range from someone opening a new credit line, taking out a loan, filing for government benefits, or making unauthorized purchases under the victim’s name. Any of these can have devastating impact on the consumer.
The aftermath of identity theft can be long-lasting and challenging to resolve, too. Victims may spend months disputing unauthorized transactions and trying to remove fraudulent charges from their credit reports. They may even require legal assistance, which can add to their financial strain. For months or even years afterwards, the impact on the consumer’s credit score can hinder their ability to obtain loans, secure housing, or even find a job, since many employers conduct credit checks as part of their hiring process. All of this can take a tremendous psychological toll on the victim. The emotional trauma that can linger long after the financial issues have been resolved—if ever.
Q: Do borrowers recover their lost money?
Schmidt: Despite a victim’s best efforts to reverse the damage of identify fraud, full restitution is rare. Most are only partially able to recover their losses. For example, many financial institutions will cover fraudulent charges on credit cards or in bank accounts, but only up to a certain limit or under specific conditions. The recovery of funds stolen in other ways can be much more difficult. Furthermore, the process to prove you’ve been a victim of fraud is not only cumbersome but can also be hindered by the sophistication of the criminal’s methods. Cybercriminals are adept at covering their tracks and often leave little trace for investigators to follow.
Q: What are the residual risks from a breach for servicers?
Schmidt: A data breach not only disrupts a servicer’s current operations, but the aftermath often sees servicers grappling with legal challenges that stretch over years. We’ve already seen lawsuits filed against LoanCare and Fidelity, and such activity is likely to balloon as class action attorneys settle on lead plaintiffs and file complaints. These legal battles are not just financially draining, but they also consume time and resources that could be dedicated to servicing mortgages and assisting borrowers.
There’s reputational damage to consider as well. When servicers are linked to data breaches, any trust they have earned with borrowers and partners quickly erodes, leading to a loss of business. The harm to one’s brand is deep and hard to repair. Also, regulatory scrutiny of a servicer’s operations often intensifies after a breach, which can result in fines and mandates to overhaul their security measures.
Q: What steps can servicers take to avoid disruption from such events?
Schmidt: On a certain level, cybersecurity crimes are impossible to prevent entirely, because the tactics cybercriminals use are constantly evolving and becoming increasingly advanced. However, there are some very simple measures servicers can take to reduce the risk. One of the easiest is establishing redundant systems to ensure there’s always a contingency plan in place should a servicer’s primary system fall victim to a cyberattack. This is a particularly helpful for ensuring loss mitigation efforts continue uninterrupted. With a backup system in place, servicers can avoid missing critical loss mitigation deadlines and make sure they stay in constant contact with distressed borrowers.
In fact, this is why many servicers are choosing WaterfallCalc as their backup loss mitigation system. Because WaterfallCalc can be seamlessly integrated with a servicer’s existing operations and multiple third-party service providers, servicers can easily switch to it if their primary loss mitigation system goes down and quickly calculate a borrower’s loss mitigation options accurately and compliantly.
Regardless of what solutions they choose, however, it’s important for servicers to have backup strategies in place to fortify their operations against potential disruptions. After all, cybercriminals aren’t about to give up—so we shouldn’t, either.