Proof

Cybersecurity Risks and Challenges in the Digitized Mortgage Industry

A recent Arizent study reveals that despite rising cybersecurity risks and increased fraud exposure in the digitized mortgage industry—exacerbated by the pandemic and involving threats throughout the mortgage process—many mortgage leaders inadequately test their IT infrastructure, underestimate their vulnerability, and face significant financial losses, with only about half conducting regular penetration testing or breach simulations, highlighting a critical need for improved cybersecurity measures and potential future requirements from cyber insurance carriers.

Mortgage leaders are increasingly concerned about cybersecurity risks as the industry undergoes digital transformation, but many admit to not taking sufficient precautions, according to a recent Arizent study.

Key concerns include consumer behavior on mobile devices and the granting of data access to third parties. Despite these worries, only about half of respondents reported testing their own IT infrastructure's cybersecurity. This is a significant oversight, especially as fraud costs lenders more than four times the dollar amount lost.

JT Gaietto, chief security officer at Digital Silence, noted that many in the industry underestimate their susceptibility to cyber threats, often due to their size, reliance on outsourcing, or lack of awareness.

A LexisNexis Risk Solutions report found that the mortgage industry is more exposed to fraud than banks and other financial services. Threats occur throughout the mortgage process, from account creation and login to funds distribution. Fraudulent activity in acquiring housing was involved in five of the top six threats identified.

Since the onset of the coronavirus pandemic, the industry's exposure to fraud has increased significantly. In the first three quarters of 2021, every dollar of fraud loss cost lenders $4.40 in fines, legal fees, labor, and recovery expenses—nearly a dollar more than pre-pandemic levels. Firms reported an average of 1,431 fraud attempts per month in 2021, preventing 62% of attacks, but the volume remains higher than before the pandemic.

Mortgage and banking respondents reported better penetration testing practices than insurance carriers and wealth management firms: 54% said their organizations conduct periodic data breach simulations, and 47% routinely attempt to hack their own IT infrastructure, sometimes with third-party experts. Garry Woods, executive director of governance, risk, compliance, and policy at Richey May, suggested that cyber insurance carriers may soon require improved precautionary measures.

Woods stated, "For a lot of organizations you'll see a plan to bring those best services activities, it's going to help minimize the increase annually of cybersecurity insurance. I think you're going to see that number over the next three years increase significantly."

While companies are adopting digital business tools, this hasn't necessarily increased their confidence in security. Sixty-five percent of leaders told Arizent that faster payments and money transfers have increased cybersecurity risks. Among banking and mortgage respondents, 50% said mobile device use is increasing their risk profile, and 41% cited increased third-party data access as a vulnerability.

Most mortgage firms purchase, rather than build, their own mobile platforms, which exposes them to risks like the Apache Software Foundation Log4j vulnerability. Gaietto explained that such vulnerabilities are widespread and can disrupt entire lending platforms if software is not kept up to date.

Among banking and mortgage leaders, 49% identified spear phishing—fraudulent email attempts to deceive mortgagors for wire fraud—as a top cybersecurity threat. Woods described spear phishing as the industry's most common attack and noted a rise in bot attacks for companies allowing online loan applications, though only 31% of respondents saw this as a growing risk.

Insider threats, such as employees taking proprietary information when leaving the company, are also a concern. Fifty-one percent of respondents identified data breaches as a major concern for the future. Gaietto predicted that this threat would persist as profit margins shrink with rising rates.