Reverse Mortgage Companies and Cybersecurity: Strengths and Pitfalls

Few issues are more pressing in the modern business landscape than cybersecurity and the approaches that companies take to make sure that its data – both for the companies themselves and clients – are adequately protected. Rarely does it seem like a month goes by before a major media outlet reports on significant cybersecurity breaches that affect not only the companies but sometimes millions of clients who transact with them.

The importance of cybersecurity in the landscape of the reverse mortgage business is no different. However, the measures taken by lenders, brokers and vendors have just as much importance to the industry’s health as any other major corporation’s measures. While some reverse mortgage companies are taking the proper steps to ensure that stakeholders are aware of cybersecurity’s importance as a priority, other companies are not, which may be a mistake, according to one cybersecurity expert who recently spoke in a keynote at HW Annual in Frisco, Tex. late last month.

Cybersecurity measures that mortgage companies should take

Mortgage companies must focus on bolstering cybersecurity infrastructure. They should report all cyber incursions to the appropriate federal authorities to mitigate the impact of bad actors seeking to gain access to sensitive information or who aim to encrypt company systems to hold for ransom. This was a core part of the thesis presented by Selim Aissi, cybersecurity expert and former CISO of ICE Mortgage Technologies (formerly Ellie Mae) during a keynote session at HW Annual.

Advertisement

A keyword often thrown around the cybersecurity landscape these days is “ransomware.” Ransomware attacks – in which a bad actor gains access to a target individual or organization’s digital systems before encrypting them and selling the decryption key back to the victim for a price – have grown significantly more sophisticated over the past several years and has developed to the point where the creation of deployable ransomware software is a “service” which can be provided to a third-party that will conduct the attack.

This development has allowed for easier deployment of ransomware attacks. It has led to a broader gamut of bad actors – including more “traditional” criminals, such as members of organized crime – to become involved in cybercrime by using ransomware services that can be found on the so-called “dark web.”

Total losses from cybercrime exceeded $4.2 billion in 2020, Aissi explained in his keynote. The most predominant forms of cybercrime in 2020 included phishing incursions, business email compromise (BEC) and ransomware, which has extended into 2021. In terms of actions that mortgage companies can take on either the forward or reverse sides of the business, the best thing they can do to defend against the first instance of an unauthorized incursion into digital systems is proper education of staff to spot suspicious communications and to report them as soon as possible, Aissi explained.

Taking stock of a company’s most important assets and information is also paramount to success in avoiding becoming victimized by cybercriminals.

“I don’t have an exact number, but I can say that in my six years at Ellie Mae, I got calls from about 30-35 lenders over the last three years [of my time there],” Aissi said. “Mid-size lenders are more likely to share that they need help with authorities. Over the past five months, I got calls from about five lenders who were down for a couple of weeks, and it got to the point where they actually had to engage with the adversaries for the decryption key.”

That “engagement” usually means paying the ransom to have the ability to restore and repair a lender’s digital systems. Some companies may prefer this kind of engagement instead of engaging with proper authorities because of concerns related to proprietary information or other business sensitivities, Aissi said.

When asked by HW Media CEO Clayton Collins whether or not a mortgage company should report a cyber security breach to the Federal Bureau of Investigation (FBI) or other relevant authorities, Aissi explained that collaborating with federal law enforcement as quickly as possible can be a notable difference-maker.

“As part of [a lender’s] ransomware playbook, the first step on that should be to get in touch with a federal law enforcement agency,” Aissi said. “They have a lot of ransomware decryptors, but even when it comes to business email compromise, they can help recover lost money.”

Reverse mortgage companies and cybersecurity

RMD reached out to most of the top 10 Home Equity Conversion Mortgage (HECM) lenders in the industry about their cybersecurity measures and their postures related to attempts to avoid unauthorized cyber incursions.

“Finance of America Companies utilizes industry best practices to guide our efforts to mitigate cybersecurity threats, including ransomware, and our InfoSec program continues to evolve along with the threat,” said Drew Robertson, deputy chief information security officer at Finance of America. “Our customers’ privacy is our responsibility and we work tirelessly to protect their information.”

A more robust perspective on cybersecurity posture was offered by Scott Gordon, CEO of Open Mortgage based in Austin, Tex. When asked whether or not the company has had to deal with any direct cybersecurity threats, Gordon explained that the security infrastructure used by the company has been successful in avoiding severe issues.

“Open Mortgage has not been the victim of any successful attacks, but we know our platforms are targeted almost daily,” Gordon told RMD. “We have done a lot of work to secure borrower and company data, including things like encryption at rest on every server and every notebook in the company.”

When asked to appraise the issue of cybersecurity on an industry-wide level, Gordon was quick to point out that serious cybersecurity measures are paramount, especially as the reverse mortgage business aims to conduct more of its operations in digital arenas.

“The mortgage industry, like all financial services, will always be a juicy target for hackers,” Gordon said. “Besides having great IT and engineering folks internally, Open Mortgage regularly undergoes incursion testing by outside contractors. It’s incumbent on all of us in the industry to undergo testing on an ongoing basis and share what we learn with our peers. There is just too much at stake to let our guard down.”

Every other company contacted by RMD declined to comment for this story.

Companies featured in this article:

, ,