Accounting and advisory firm Richey May has launched a cybersecurity services practice to help lenders and servicers protect against the growing risk of online fraud and data attacks.
Through Richey May Technology Solutions, clients can receive an assessment of their IT infrastructure and controls. After the assessment, Richey May will make recommendations to the company and help implement them.
Lenders and servicers that do not have information security professionals on staff can hire Richey May to act as a chief information security officer on a contract basis, the firm says in a release.
John-Thomas (J.T.) Gaietto, an information security expert who joined Richey May last fall, has been named executive director of Richey May Technology Solutions. Gaietto has more than 18 years of experience providing enterprise information security and risk management services, most of which he spent working in the financial services industry.
Large-scale cyber-attacks on Equifax, JP Morgan Chase, Yahoo and many other companies in recent years have created growing anxiety among the company’s mortgage clients.
“There’s a sense that, if it can happen to a giant credit reporting company like Equifax, it can happen to anybody,” Lee says. “The problem is many companies in the mortgage industry do not have the internal resources they need to protect themselves, which is why we’re offering to help.”
Gaietto says mortgage lenders are right to be worried.
“No industry works with as much sensitive consumer data than the mortgage industry,” he says. “They have everything about a borrower’s finances, from pay stubs to tax returns to the Social Security numbers of their children. They’re also required to retain this data for years, which compounds the challenges of storing it securely and keeping it out of the hands of cyber-criminals.”
Recent shifts in how mortgage lenders use technology have increased the risks as well.
“Since a growing number of lenders now use loan origination systems (LOSs) and other software over the Internet, and are migrating IT infrastructure to the cloud, they are often unaware of how their borrowers’ data is being protected, let alone where the data is physically located. Many assume their cloud providers oversee protecting data as well, when it is typically a shared responsibility between the lender and the provider.”
Mortgage lenders must also face an increasing number of cybersecurity regulations. Last year, New York enacted one of the country’s strongest cybersecurity regulations in the nation. It requires mortgage companies to conduct cybersecurity risk assessments, train staff and put controls in place to protect consumer data.
“Our assessments can really be eye-opening for lenders, because they don’t really know where their data is, how frequently they’re being targeted, or how vulnerable they are,” Lee says. “All it takes is for one staff member to do the wrong thing, and you’re in big trouble.”