With AI-powered cybersecurity incidents – including advanced malware and ransomware attacks – becoming more prevalent, many mortgage companies will be looking to update their network and data security in 2025.
One of the biggest challenges mortgage servicers will face is ensuring that the third parties they work with are also meeting – or better yet exceeding – industry security standards.
In a recent interview with MortgageOrb, Jane Mason, CEO of mortgage software firm Clarifire, discusses how these threats are evolving and how mortgage servicers can defend against them.
Q: Have there been any recent changes to cybersecurity risk for mortgage servicers?
Mason: The risks continue to grow. Over the past year, several large mortgage servicers experienced major data breaches that impacted tens of thousands of borrowers and triggered multiple class action lawsuits. Ransomware attacks and targeting of vendor systems have become more common, and cybercriminals themselves are becoming increasingly more sophisticated in their methods. While these threats are not unique to the mortgage industry, we’ve seen a shift from widespread, indiscriminate attacks on major businesses to targeted attacks on companies where the potential for a high payout is greatest. Because mortgage servicers handle enormous amounts of personal data about borrowers, they have become particularly attractive targets to hackers.
Q: Why have digital security threats become more prevalent?
Mason: Digital security threats are rising for several key reasons, including the fact that mortgage servicers are increasingly relying on digital, cloud-based platforms. Without the proper safeguards in place, these platforms can create more opportunities for cybercriminals, since every digital interaction or data exchange is a potential entry point for unauthorized access. Another factor is that most mortgage servicers use a variety of software and hardware, and each has potential vulnerabilities. A servicer’s integrations with third-party services and systems, which is also very common, creates additional layers of risk.
As mentioned, cybercriminals are constantly becoming more sophisticated with their attacks, but there is also a human element involved. A mortgage servicer’s staff is often the weakest link in the cybersecurity chain, as it’s easy for an employee to be tricked into providing access to a servicer’s system and data through phishing schemes. This risk can be addressed through staff training, but some companies find this to be costly and time-consuming.
Q: How can servicers protect their customer data?
Mason: Unfortunately, there’s no magic shield that can completely prevent cyberattacks and data breaches from happening. But there are many proven strategies that help lower the risk. One is to choose technology partners that prioritize data security and utilize data encryption, real-time threat detection and regular security audits, all of which can bolster a mortgage servicer’s overall level of protection. Measures such as multi-factor authentication (MFA) can also enhance security by thwarting attacks that rely on stolen credentials. Regular training and awareness programs for all employees are vital as well. When a servicer’s staff is continually briefed on the latest threats and educated on best practices, servicers are much less susceptible to breaches that rely on human error.
Q: What if, despite their best efforts, the servicer experiences an outage?
Mason: As the recent Crowdstrike-related global outage demonstrated, companies can do everything right and still suffer an outage. A faulty patch brought down 8.5 million computers and left them unable to restart, causing the largest outage in history.
To protect themselves from internal system failures, third-party outages, and ransomware attacks, servicers should maintain risk-based resilience policies and procedures. The resilience policies should encompass resilient systems by design, crisis management, business continuity, and disaster recovery.
It is essential servicers integrate their disaster recovery procedures with their service providers. This requires the service provider to have their own resilience policies and procedures in place. It’s also a good idea for servicers and service providers to rehearse the procedures together.
Q: What type of cybersecurity credentials should servicers look for from service providers?
Mason: Servicers should be looking for service providers with credentials that demonstrate they have robust defense systems in place and are constantly improving them. One such credential is a Security Trust Assurance and Risk (STAR) Attestation from the Cloud Security Alliance, which signals that a provider is committed to maintaining strong security practices, transparency, rigorous auditing, and consistency with cloud security standards. Another critical certification is a SOC 2 Type 2 report, which assesses the effectiveness of a service provider’s controls over a certain period of time, which can provide assurance to servicers that their data is managed security.
Another credential to look for in a potential service provider is whether they have adopted a Shared Security Responsibilities Model (SSRM). This is a security best practice that demonstrates the service provider’s intent to collaborate with the mortgage servicer to protect customer data through clear communication and division of security responsibilities. Overall, choosing providers that are SOC 2 audited and have STAR Attestation and integrate SSRM into their service agreements can provide servicers with greater confidence about their overall cybersecurity posture.
Q: Besides credentials, what is the most important information a servicer should request from a service provider?
Mason: The single most important factor that determines the security of a system is whether it was built to be secure by design. Unfortunately, many if not most companies design their systems first and then add security as an afterthought. Servicers should request evidence from their service providers that security was considered in the design phase of their systems. The evidence should show that the design process begins with an assessment of potential threats and vulnerabilities. This sets the stage for system development, which includes secure coding practices, testing and quality assurance, and deployment and configuration management. These design best practices should be supplemented with education and awareness, risk management, and compliance auditing.
Q: What other factors should servicers consider in engaging a service provider when it comes protecting their digital records?
Mason: There are many other factors to consider before engaging a potential service provider. A provider’s experience in the servicing industry is particularly important. Generally speaking, providers with a deep understanding of the specific challenges and regulatory requirements their servicing clients face are far better equipped to create an effective security strategy. A provider’s technological capabilities play a critical role, too. Providers that are able to integrate seamlessly with a servicer’s existing technology infrastructure can help ensure data flows securely and efficiently between different systems, which minimizes the risk of breaches and errors.
A potential service provider’s disaster recovery and business continuity plans are vital as well. These plans should clearly outline how the provider will handle data breaches or other security incidents, including the immediate actions they will take in the case of an outage or a system failure to minimize the impact and restore services promptly.
Last but not least, a provider should undergo periodic security audits such as SOC 2 and industry-specific audits such as KY3P, and share the results of these audits with their clients. This helps build trust and ensures that the servicer is kept abreast of how well their data is being managed and protected.
Q: What responsibilities should a managed security service provider (MSSP) take over, and what responsibilities remain with the servicer?
Mason: While most mortgage servicers work with multiple service providers, it’s important to remember that the responsibility of protecting customer data rests on them. It’s reasonable to expect an MSSP to manage the technical aspects of data protection, such as deploying and managing firewalls and threat detection systems, encrypting data, and continuously monitoring their systems and networks for unusual activities. But there are plenty of industry best practices that mortgage servicers can and should implement themselves.
For example, servicers must manage access to their systems and software to ensure that each employee only has the necessary permissions they need to perform their jobs, and no more. They should also have their own comprehensive, risk-based security policy that outlines security protocols for their staff and regularly train employees on these policies. Servicers are also responsible for maintaining data integrity, and making sure all data that is entered into their systems is accurate and managed appropriately. Most of these responsibilities can’t be outsourced. But when there is a clear separation of duties between servicers and their MSSP, and both sides play their role effectively, the likelihood of a crippling cyberattack or data breach falls dramatically. As the saying goes, teamwork makes the dream work.
