This year, high-profile cybersecurity incidents at third-party vendors have exposed both lenders and their customers to significant risks. National Mortgage News reporter Andrew Martinez speaks with Atlantic Bay Mortgage Group's Lindsay Barbera about how firms can mitigate such risks in third-party vendor relationships and beyond.
Transcription:
Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the corresponding audio for the authoritative record.
Andrew Martinez (00:10):
Hi everyone. Good afternoon and welcome to today's Rise Leader session. I'm Andrew Martinez, a reporter at National Mortgage News, and our topic today is third party risk Management for mortgage lenders. Today I'm joined by Lindsay Barbara, vice president of third party Risk and Strategy at Atlantic Bay Mortgage Group. Thanks for joining us today.
Lindsay Barbera (00:29):
Hey, Andrew, how are you? Great to see you again.
Andrew Martinez (00:32):
Yeah, likewise. If the audience remembers, Lindsay spoke with us at the Digital Mortgage Conference and we'll be following up on some of those topics today. But before we get into the conversation, Lindsay, I was wondering if you could tell us about your journey to your current role and what you do at Atlantic Bay today?
Lindsay Barbera (00:51):
Absolutely, and I wanted to thank you for having me and wanting to have this conversation continued. My journey in the industry started in 2008, and I was listening to some of your prior interviews and kind of chuckled when I think one of the last guys you interviewed talked about how when you get out of college, you kind of look around and see what your friends are doing. And none of my friends were in the mortgage business, but right before I started at the first company I was working for a real estate company ish. Didn't love it, but was in the process of buying my first home. And unbeknownst to me, the mortgage lender that I used at the time to buy my first home was where I would really start in this industry. I started at the front desk and back in 2008, as a lot of us remember, it was very antiquated time, paper files, I was scanning, closed loan packages, and I started to become familiar with loan documents and was promoted to processor.
(01:49):
And within a few years of that, the company I worked for had gotten their Fannie and Freddie tickets recently and wanted to become a servicer. And anybody that's familiar with that process, you have to have somebody on staff that has a resume with servicing in it. And so I live in Louisiana and even now it's not exactly your mortgage Mecca place. And so we had to relocate somebody. So we did. And fast forward, he ended up having to move back home and I was offered the job to run servicing around 2014 by my boss at the time. And I remember sitting in his office and looking behind me wondering, are you talking to me? I don't even know what that word means. I just pay a mortgage. And so I ended up running servicing for several years, but because I knew so little about it, I had to reach out to somewhere to find out more about it.
(02:45):
And so that's really what started my relationship with the MBA and how resourceful they are. And it really opened my eyes and made me realize that I wanted this to be more than a job. This was going to be my career in this industry. And so since then, I moved to lenders Want to Mortgage Cooperative in 2021 and worked in the vendor space and with some really great I and BS and banks, and the ability to have remote works that came from COVID really was such a blessing for my professional career because like I said, living in Louisiana, there wasn't a whole lot of places that could work before remote work became so popular. People only hired within really their city because you came into an office every day. So you really had a talent pool that was pretty closed off unless you lived in a Dallas or a Charlotte or in any of the big cities.
(03:41):
And so I say to say that it's ultimately landed me where I am today. The relationships that I've made in the NBA and at Lenders one have ultimately landed me in Atlantic Bay, which I'm so happy to be here. And as you mentioned, I'm the vice president of third party risk and strategy, and that essentially means I run, I have two teams that I run. I run our cybersecurity team, and then I run our vendor compliance team, which can often be associated as third party risk as well. It can be called really the same thing. So that's how I got here.
Andrew Martinez (04:14):
Yeah, no, it's an interesting journey. I guess nobody says in college we want to be third party risk management. It's just something that you don't even know until you get into the industry. So maybe on that note, I'm just really curious when we talk about third parties, who are the third parties in the mortgage industry that we're talking about, which types of companies would fall under that definition?
Lindsay Barbera (04:35):
So third parties really for any company is any external entity that you do business with. So think vendor service providers, partners, and those partners and vendors, they're going to perform central services and critical support to the lender as we talk about it today.
Andrew Martinez (04:55):
For sure. And maybe just the topic of our conversation, the big question, what are third party risks for mortgage lenders?
Lindsay Barbera (05:03):
I mean, cybersecurity exposure comes, I mean, the culprit is data sharing. Once the data that we have, we are entrusted with consumer data through the loan manufacturing process. Once that data leaves our hands, leaves our walls and is shared with an external entity, there's exposure for breaches on encrypted communication, data sharing vulnerabilities, things of that nature is once it leaves our walls, that's when the exposure really comes into play.
Andrew Martinez (05:33):
Got it. And maybe just to put it in the context, with the atmosphere out there today, has the risk of exposure from a say third party incident increased in recent months and would be the reason for that?
Lindsay Barbera (05:46):
I would say yes. I mean, honestly, it's really increased in recent years. I mean, back when I started, it was pretty known that the mortgage industry was the last thing from a tech forward industry. And then over the last several years, 10 or so years, it's really become just this FinTech and these vendors have come in and they've provided these services to improve efficiency, to speed things up, especially as technology enhancements continue. And so as the more data that you're sharing with other vendors, the more risk is in play. And so with that risk and exposure lenders in Atlantic Bay in particular rely on a strong third party risk management program because it's going to be important for that team to vet the vendors, not only to protect the consumer data that these borrowers entrust us with, but also to minimize any financial and reputational risk that may come with it.
Andrew Martinez (06:40):
And then I'm wondering too, just maybe looking ahead, we all hope origination volume's going to pick up, but should that volume pick up, does that just also increase the third party risk?
Lindsay Barbera (06:50):
It can. I think that as the vendors continue to come on the scene and as we continue to use them, the risk will always be there. But yes, naturally the busier we become, the more likely we're going to become careless. We're always on the go, especially in this industry. Mortgage loan originators are not sitting behind their desks so much. They're out talking to realtors, builders, any referral sources that they have. And so the more rushed you feel, the more likely unintentional negligence is going to come into play. And so that's why it's so important for my team and our company to have really a secure work environment for them that layered protections behind the scenes that they don't even know that's necessarily there or why it's there. But that helps us because when we do become busier, that's when we become more vulnerable and more careless, unfortunately.
Andrew Martinez (07:43):
Yeah, no, totally understand. And maybe just to help set the picture, wondering if you could describe how many vendors does a mortgage company typically work with? I would imagine it's not just a one third party mortgage lender you're working with, but maybe if there was a ballpark or I'm curious about that.
Lindsay Barbera (08:00):
No, it's definitely not one really. A lot of it depends on the size of the lender, but I mean, you could be talking upwards of a hundred, you think it can be, it's any third party, and it doesn't even necessarily have to fall into the loan manufacturing process. It can be who you use as a copier or who you use for Microsoft things of that. It goes beyond just the origination of the mortgage. But what's important is that your vendor count should really align with the business debt strategy. And so we're fortunate Atlantic Beta have such a great ELT team and ownership that we know that when we are vetting vendors, that is a top priority of ours to make sure, does this really align with our 1 3 5 year plan and vision for the company? Because the more robust your vendor portfolio is, the more operational challenges that you can have when it comes to managing it. So the more data sharing you do, the more risk that comes with it. So you want to make sure that you're strategic on the amount of vendors that you're working with
Andrew Martinez (09:06):
And actually really want to dive into that kind of the betting that you talked about. I'm wondering if you could talk about what a lender looks for going into a relationship with a third party vendor. I'd imagine it's a lot of areas, but I'm wondering if you could walk us through that.
Lindsay Barbera (09:19):
I mean, I think the easier question would probably be, what do we not look at? That would probably be a shorter answer. There's an old saying in this mortgage industry that when you originate a loan, you basically ask for everything but their blood type. And it's kind of the same thing here when we're looking at a vendor, especially depending on what kind of data they're seeing. So that's really what we first have to determine. We have to determine what data are they seeing? Are they going to see borrowers confidential private data? If they are, then we're going to take the hardest closest look at them. If they're not, it's less granular. We're still taking a look at things, and there are still things that are important, but let's take a critical vendor, for example. We want to know where is their data sort? Is it onshore?
(10:01):
Is it offshore? Where is their company located? Is it onshore, offshore? Have they had a breach? What's their track record? Have they had compliance issues? We want to take a look at their cyber liability policy and their insurance policy reps and warrants, their financials. Are they a financially sound vendor or are we going to be worried about a vendor that's going out of business in six months and we're stuck and have paid out? It's no secret that a lot of these vendors that we do business with, especially critical ones, the spend on these contracts is not small. And so it's important that when you are determining who you're going to do business with and allocate these funds to, that you're doing them with the right companies and that they're going to be companies that are around for a while. And then one of the last and most important things we look at is what are their incident response plans?
(10:52):
Because as you and I are talking here today, we're talking about the exposure and the risk that comes from third party relationships with lenders. So if a lender has a i, a vendor has a disruption, we want to see their plans and are they testing their plans? If there's a disruption or a breach, what do they have in place to fix it? How is it going to be fixed on their end? And lastly, we want to make sure that our vendors are staying educated, especially as it comes to regulatory timeframes and protocols on notifying certain agencies, regulators in the event of a breach.
Andrew Martinez (11:30):
Yeah, for sure. It's good stuff. I definitely want to continue to dive deeper there, but maybe also, again, just to think about what's at stake here. I'm wondering how an incident at a third party vendor could disrupt a mortgage lenders operations. I'm curious maybe what the downstream effects are if something were to happen, the stuff you're looking out for ahead of time.
Lindsay Barbera (11:51):
I mean, it really depends on the scope and the severity of the breach. I mean, if it's a pretty minor breach, the effects and the downstream effects are pretty minimal. I mean, it could just be a matter of inability to access the service for hours or a period of time. But if it's, let's take example, your LOS, your loan operating system for us, we use by a lot of folks in the industry using Compass. If that goes down, that could be extremely disruptive, especially if it's for any length of time, because one thing you don't have a backup of at a lender is they're at LOS. You don't keep an extra one on hand. So that's not really how it works. So if that goes down, then you could potentially be looking at loan processing delays. Could compliance violations arise because of that? If it's a vendor, like maybe a verification service.
(12:37):
So verifications of employment, they have several of those out there. Some are more expensive than others. And as lenders continue to try and keep costs down because the costs to originator mortgage continues to go up, you tend to use the one that's the least expensive. So if that one goes down and you're forced to use the one that's pricier, that's an increase in cost. But then also if you don't see a timely fix, are you going to have to engage with another vendor to bridge the gap? What kind of cost could come from that? But for, you mentioned downstream effects mean, obviously there's a monetary value that could come into play depending on the severity. Could lawsuits arise from this? Are you going to have to file any insurance claims? Are you liable for anything? What's the impact to the customer experience for the delays? The old saying the moving truck is in their driveway with each of these loans that we're trying to close, if there's a delay, one thing about each loan is that it's locked on the secondary market, and that lock has an expiration. So what happens if the lock expires and the system, there's still a disruption in this vendor? What's the cost that comes with that? Is there reputational damage?
(13:56):
We live in a world of social media and people get upset and they can have knee jerk reactions. Is somebody going to go to social media and it goes viral? It could be any number of things. We obviously hope for the least amount of impact, but there are downstream effects if it's a pretty severe breach. And then another thing that comes to mind is the regulatory scrutiny. Are there compliance issues that have a arisen because of this breach? If there are, that could cause a regulator to want to increase oversight on your particular company. And so that obviously could be another downstream effect depending on how severe the disruption is.
Andrew Martinez (14:37):
Yeah, yeah, it definitely sounds like a lot. It makes me wonder, and I'm sure, I'm curious if there's playbooks out there, if your company or companies will have just playbooks for these scenarios. It maybe hasn't happened yet to us, but is it just maybe one of those practices to have that playbook to happen when things occur?
Lindsay Barbera (14:57):
You said are there playbooks? Yeah. Yeah. I mean, there are things that we have for as far as best practices. That's why we do such a deep dive. And there are things that we're looking for. And unfortunately, experience plays a factor in that as well. But it's just one of those things. That's why we do such a deep dive and make sure that we are holding our vendors accountable for the protection of consumer data.
Andrew Martinez (15:25):
Definitely. And then maybe just returning some of those best practices you mentioned. I'm curious, there's a lot of due diligence involved, so just want to keep diving here. I'm curious, what are some other best practices that regarding third party vendor relationships, things that no matter the vendor type, maybe that you're saying, we're going to do this, we're going to do that?
Lindsay Barbera (15:46):
Well, the fortunate thing is we're able, we can always monitor the performance against the SLA and perform periodic audits against these vendors, but it's important for us to protect ourselves is to establish contingency plans in the event of a vendor failure or disruption.
Andrew Martinez (16:08):
Got it. And so would that mean, again, just the example of the one LOS, it sounds like there's also some situations though, where it could put you in a tight spot. I mean, just given the layout of a company. Is that right?
Lindsay Barbera (16:22):
Correct. Yeah. I mean, there are some things that there really isn't a workaround
Andrew Martinez (16:28):
For sure. I'm wondering, maybe just hopping around here, I'm curious about cybersecurity policies. When we're talking about incidents, I'm wondering if cybersecurity policies cover some of this third party risk, if there's, I suppose, layer protection or a layer of safety net there when something happens?
Lindsay Barbera (16:47):
Yeah. Policies typically cover liabilities that are incurred due to a third party's action or data breach. But every policy is different Cyber policies. They're designed to protect against financial risk and losses in the event of a cyber attack or a data breach should something like that happen, they can protect and cover things like legal counsel, data recovery, crisis management, fines from regulators, any PR that you might need, but no policy is the same. And I can about guarantee you that your policy this year probably looks different than your policy several years ago because the cybersecurity insurance market continues to tighten considerably. I was reading an article the other day, and cyber claims north of a million dollars rose 14% in 2024. So this is, these increase in claims is marking a critical shift in corporate risk. And so as the risk continues to rise and the claims continue to rise, so do premiums, but what doesn't continue to rise and what keeps narrowing is coverage terms.
(17:53):
So it's critical that your cybersecurity team, your legal team, and that your company understands and has read their cyber liability policy top to bottom. What does it cover? What does it not? I mentioned earlier that lenders these days are trying to do anything to cut costs. It has been a rough last couple of years. Volume's not where we want it to be. Rates aren't where we want them to be. And so lenders are trying to find any place that they can cut costs. This policy is not a place I would suggest cutting costs, a bare bones policy is likely going to get you in a lot more trouble. It might sound great. They say about insurance in general. You don't need it until you need it. You pay for it, you pay for it, you might not need it, but then when you do need it, you're glad you have it. So making sure that you're adequately covered is crucial. And then because if not, if you want to have the bare bones policy, and this is the bare minimum to get by, you're going to need to make sure that your company is financially sound to cover things that this policy is not going to cover should something because we live in a world that it's not a if it's a win.
Andrew Martinez (19:03):
Yeah, yeah. No, that's a good point. And it just makes me wonder if maybe just anecdotally, or maybe if you wouldn't be surprised if there's companies out there that are forgoing their policies or maybe not having the appropriate amount of policies. I'm wondering if you think or you've heard that just times are so tough that there might be a shock out there that says it's going to get tight. For us,
Lindsay Barbera (19:26):
It would be pretty impossible to forego having a policy because of the regulators and agencies and investors, they're requiring things like that. But having a bare bones policy, I mean, it's possible. It's similar to homeowner's insurance. Many of mortgage bankers have increased the deductible to the max deductible to get the premium down. It's the same time of thing. It is structuring it to where it costs less. So I wouldn't suggest it, but I'm sure it's happening
Andrew Martinez (19:59):
For sure. And maybe just talking about the third parties, again, I'm curious about these SLAs, and you talked about maybe the smaller minor breaches. I'm curious, does a breach automatically nix that agreement? But I'm wondering if there's maybe some leeway, maybe it was like an email that affected 50 people or something. I'm wondering if a breach is the death, any breach of any size is a death KN for an SLA?
Lindsay Barbera (20:26):
I mean, it should and it could be. I mean, it really depends on the scope and the severity of it. But I mean, worst case scenario, of course, there could be legal recourse that has to be taken or it could lead to the termination of an agreement and a contract. Ultimately, we hope that doesn't happen, but it certainly could. I mean, at the end of the day, borrowers are coming to us and they're entrusting us with their most critical data. You think about what's involved in manufacturing, a loan, bank accounts, social security numbers, birthday, all of their most private information. If that data gets in the wrong hands and there's a breach and it's severe, I mean, it could be grounds for termination of a contract for sure.
Andrew Martinez (21:06):
Got it. And then I wanted to maybe switch gears a bit and talk about how the remote work aspect of this conversation. I'm wondering how remote work, just given that we're all in our offices today, has affected cybersecurity strategies, has affected third party risk management. I'm curious what happens when your employees are working with some of these platforms from their home and so forth?
Lindsay Barbera (21:28):
I mean, remote work has obviously become an industry standard, and it can afford employees an opportunity to experience flexible work arrangements, but also offer enhanced work-life balance. But with that comes additional exposure to cybersecurity threats such as phishing attacks, ransomware, unauthorized access. And so of course, yes, that raises peaks your attention a little bit more, but it's an industry standard. And Atlantic Bay, we really pride ourselves in being a remote employer. So because of that, because it's a priority and something that's very important to us, we chose to identify the risk, take the steps necessary to mitigate those risks and provide a secure environment. So we're able to meet employee needs and some of those things that they might not even know are in play or things like multifactor authentication, VPNs, which is a virtual private network, end-to-end encryption, secure document uploads, things like that we're able to offer and supply to be able to offer that remote work environment. And then as the risk is ever evolving and the threats are ever evolving, we adapt, we pivot, and if we need to increase or change things, we do so accordingly to make sure that we remain in a remote employer.
Andrew Martinez (22:49):
And you mentioned some of the big ones, I think of two factor education, I feel like seems to be more and more ingrained in every company's systems. But I'm wondering if, what are the big ones? I suppose you just covered 'em right now, but I'm curious if two factor authentication seems to be one of the top, one of the most obvious ways to protect yourself, would you rank that up there?
Lindsay Barbera (23:11):
For sure.
Andrew Martinez (23:13):
And I guess that just makes me wonder about training as well, just training your staff on cybersecurity. I feel like I see, every week I see a report that X amount of employees out there aren't cyber aware. Just wanted to ask about how important it's to just have your cybersecurity training for all of your company's staff.
Lindsay Barbera (23:32):
I, I'm a firm believer in training in general, no matter what the topic is, because your staff is ultimately your first line of defense. But absolutely, training is critical. I believe that the more you know, grow. But so it is important for us to know and educate our staff, but also for them to just be aware of the why. When we were at the digital mortgage conference, there was one of the gentlemen on our panel, he said, and I think it was in our intro call, I don't know if you remember this, he said, we don't want to be the department of no in. Oh, we want to be the department of no KNOW. And I love that because he's right. We don't want to always say no, even though we maybe internally in the cybersecurity space, we know that that's probably the risk is involved. We want to also be able to educate and make our staff aware of the why behind. We might have to say no to something. And so that's why I think training is critical.
Andrew Martinez (24:31):
It makes me think of all the phishing emails that I'm sure everybody kind of gets those test emails, and sometimes it's like, here we go again. But it sounds like the kind of things that you really just, it's your due diligence that you have to do every time. Is that the kind of thing you think of, here's another test that we're sending out, but just every time it's important.
Lindsay Barbera (24:49):
Oh, a hundred percent. Yeah, because it doesn't take much. And you asked the question earlier about volume going up. I mean, the busier we get, the more careless we are. And so that's why it's important to really keep it top of mind. You don't want to oversaturate with training, but if we can find creative ways to keep it top of mind, I think that that's always super helpful. If so, is awareness
Andrew Martinez (25:13):
For sure. And actually, speaking of awareness, I'm wondering how you stay up to date on threats and security updates. You talk about just cybersecurity awareness from everybody, but I'm wondering, other than maybe getting a notification on your computer, how you really stay on top of it, because it seems endless, the amount of stuff we have to watch for.
Lindsay Barbera (25:31):
Yeah, I mean, there several ways you can get 'em. We do. We have cybersecurity platforms that we use. I'm fortunate to have a team of extremely experienced cybersecurity folks that have a combined 50 plus years of experience in the financial services space. And so through their experience, they've developed relationships with their peers, and so they'll find out information through that, but they'll also get CISA alerts. Our vendors have an obligation to notify us of events, social media, the news, things like that. There's forums out there. There's a lot of different ways to stay up to date with alerts, but I don't know if you'll ever be able to stay up to date with all of them. You do your best, but there's so many different places it could come from. But we focus on the most important, the ones that are critical
Andrew Martinez (26:21):
For sure. And wanted to also ask about just recently, the FHA rolled out this new reporting requirement. I least a 36 hour window for breaches, but just wanted to ask you about how you stay up to date and how you stay, compliant may not be the right word, but really just how you make sure you're in line with the agencies, because it seems this year they've really stepped up as reporting requirements. So I'm wondering how you guys just stay on top of that. And I guess, again, the playbook there.
Lindsay Barbera (26:48):
Yeah, agencies, I think Freddie Mac released one yesterday as well. They're making update changes to this, and that's in response to these events happening. So my team does a really wonderful job of documenting these updates and making sure that we keep 'em on a tracker for us. So we are aware of reporting requirement changes, but we also have to make sure that our vendors that we're doing business with, that they're also staying abreast of these requirements. Because at the end of the day, if the breach happens with them, the obligation is on them to notify the regulator or the appropriate agency of the incident.
Andrew Martinez (27:29):
For sure. And maybe just again, that question about who the third parties are, is that a vendor space? And the industry's been a little slower recently, but I'm wondering if that vendor space, is it growing or is it kind of shrinking? I'm curious the pool of companies that mortgage lender are looking at, if that's growing, if it's shrinking or how that's folding out.
Lindsay Barbera (27:49):
I mean, I guess I feel like every day you turn around and there's a new shiny car or shiny vendor out there that's going to do this and that. I think that there will continue to be an increase. I mean, look, at the end of the day, we're all struggling with the same things. We're all struggling with cutting costs. There's no lender out there that is just so in the black that they're not having to try and cut costs. We're all seeing the higher interest rates, the lower inventory. So I totally just lost my train of thought too.
Andrew Martinez (28:25):
No worries. Yeah, no, it's a lot of cybersecurity going on for sure. And maybe just another question here about an incident this year that I think was very widely known about the CrowdStrike incident. With that automatic update and talking about third party risk management, I'm curious maybe what was the lesson that you took from that in terms of just the way that happened to hit everybody that automatically updated maybe a lesson or advice that you took away from that incident here?
Lindsay Barbera (28:55):
Well, there's a couple of things. I mean, fortunately for Atlantic Bay in particular, we were not drastically impacted as many lenders were. I think the largest impact from the lender space was encompass and the effect it had on ICE technology, we don't use encompass. So that was beneficial to us. We did have some impact on a warehouse line space. So it made us more aware of do we need to expand our variety and be cognizant of that? Should it cause latest, should something like that happen again? But it also brought to light that automatic update piece where it just further magnified the remote work and how that can be challenging at times. I mean, a lot of things can be fixed with an IT person remoting into your computer and your pc, but there are things, and I believe, if I remember correctly in this particular incident, it was some of these updates had to be done manually on computer. So that provided a lot of challenges for companies out there.
Andrew Martinez (30:01):
Yeah, I feel like we're still learning the lessons from that one as well. I'm curious in this managing the third party risk conversation, if there's other aspects that maybe are lesser known. We talk about the way to protect yourself and your employees trained and so forth and your due diligence. But I'm wondering if there's other lesser known aspects, maybe the stuff that maybe isn't in the pamphlets or isn't at the conferences that some advice you would give regarding this.
Lindsay Barbera (30:31):
I mean, I think that one of the biggest things that's not talked about often, but we've talked about it today, is the impact financially that a lender can incur because of an incident. When an incident happens at a vendor, people tend to just focus on the impact that it has on that particular vendor. But take it a step further, and you've got to think about the impact that it has on everybody, every lender, every company that uses that vendor and that vendor services. What financial impact and what disruption and impact does it have on those folks as well?
Andrew Martinez (31:11):
Yeah, definitely. Crowd trick example right there about everyone points the finger at maybe the airline, but it's just CrowdStrike that is affecting everybody,
Lindsay Barbera (31:21):
Right? I think you could pull a hundred people right now or the day before that incident, and 99 if not a hundred people, unless maybe they were in certain industries, had ever heard of CrowdStrike. But the media took it and it was a big deal because it was so widespread across all the different industries. But if a lender was severely impacted on that, don't think they were necessarily. I don't think that there's an association of, oh, they use crowd CrowdStrike. Were never using them again. I don't think that the average consumer is correlating that much. I would think there might be more frustration, oh, Delta uses that or whatever. They missed their flight, and that might have been more correlation than tying it all the way. The average consumer probably has absolutely no idea how many vendors are involved in the manufacturing of a loan.
Andrew Martinez (32:11):
Yeah, no, that's a good point. And maybe before we go, just curious about that kind of consumer perspective. You think it's the kind of thing where consumers, let's say your average mortgage customer, if I'm shopping for a house and X happens at X company and I point the finger here or there, you think it's the kind of thing where consumers maybe are still kind of in the dark here, that cybersecurity awareness, maybe we still have a lot to learn, I suppose, when it comes to learning the chain of events and what goes on where,
Lindsay Barbera (32:41):
Yeah, I mean, I think they could, but when you're in the mortgage space, you just assume people kind of think like you. But the average consumer, the average first time home buyer, they're just not thinking that deeply into it. They're not as educated when it comes to what goes on behind the scenes in a mortgage, but it doesn't make it any. And I think the unfortunate reality is that I believe that most people think that their data is already out there to some extent, and that is an unfortunate reality. But what that doesn't change, especially for us and for at Atlantic Bay personally, I don't care if their data is out there already. It does not change our obligation and our priority to protect that consumer's data at all costs.
Andrew Martinez (33:27):
Yeah, no, that's good stuff. And as we approach on time here, just wondering what other party, excuse me, what other party advice would you give to companies regarding their third party risk management? Maybe just emphasizing some of the points we made today, something else we didn't hit on. Just curious your parting advice.
Lindsay Barbera (33:46):
Yeah, sure. If you don't already have a strong vendor compliance or third party risk team, I would make sure you have one. Make sure you have a strong team that is vetting these vendors, not only to make sure that they are appropriate to do business with, but they are protecting and mitigating financial and reputational risk for your company. I would say take a look at your cyber liability insurance policy. Study it up and down. What does it cover? What does it not understand? Critical vendor cyber liability coverage as well. What does it cover? What does it not? If your policy is not adequate, talk to your agent about increasing your coverage. What I can't stress enough is have a solid incidence response plan. It's pretty much required across the board now to have a business continuity plan, incidents response plan should something happen. In the past, you could probably get away with a pretty bare bones plan.
(34:41):
I would not advise that I would really, and if you do have one, test it. How does it work? Test an event happening, what did you find? What did you learn? And make changes accordingly. The last thing I would say is collaborate with your peers. One of the greatest things I find in this mortgage industry is everyone wants to help each other. We are such a great industry of collaboration. We're all going through the same thing. Reach out to your peer. If you're vetting a vendor, reach out and say, Hey, we're looking at so-and-so. Have y'all used them before? If they have, maybe they'll tell you some red flags that they found when they vetted them. And it saves you a lot of time and a lot of energy that it might not be a company you want to do business with. What are you doing for this? How are you handling this? Reach out to other folks in the industry that are going through the same things we are and lean on them. Another set of eyes, another couple sets of eyes can really open your eyes to a perspective that you might not be thinking about.
Andrew Martinez (35:41):
Yeah, that's actually really good advice, really strong advice. Really appreciate that insight there. We did come up on time. I feel like they went by so fast. I do too. Yeah. But that was a really fun topic. It was a really good chat. Thank you so much, Lindsay, for the time to talk here today. Yeah,
Lindsay Barbera (35:58):
Thanks so much for having me.
Andrew Martinez (36:00):
Yeah, of course. Anytime. We'll have to do it again. But thank you everyone tuning in today and hope everyone has a great afternoon.
