How the mortgage industry is responding to cybersecurity risk

Ransomware attacks and cyber breaches are on the rise and proving to be a serious challenge for the industry.

While Fannie Mae is partnering with Amazon Web Services to strengthen its defenses against cyber attacks, other entities are urging greater vigilance through enforcement. For example, the New York State Department of Financial Services is issuing fines to lenders who fail to provide adequate cybersecurity for their customers' private information.  

For more on these and other cybersecurity stories, read our roundup below.

Fannie Mae's headquarters

Focus on cybersecurity grows at Fannie Mae

Fannie Mae is increasing its online security efforts with help from Amazon Web Services by developing a solution that recognizes and matches similar cyber issues across different services, ensuring better distribution of security systems.

"Like every other company, Fannie had gaps," said Chita Elango, senior director of application security at Fannie Mae. "It is not perfect, we were developing applications at a very fast pace but we weren't concentrating on security." 

Fannie Mae will continue to focus on its cybersecurity improvement plan by annually reviewing cyber risks using vulnerability scans and other assessments.

Read more: Fannie Mae bolsters cybersecurity with Amazon Web Services
Chicago - Circa April 2022: OneMain Financial bank branch. OneMain Financial has 1,400 locations across the country.
Jonathan Weiss/jetcityimage - stock.adobe.com

OneMain receives penalty for poor cybersecurity

Violating the cybersecurity regulations of the New York State Department of Financial Services, including failure to manage third-party provider risks and allowing the use of default passwords giving access to sensitive customer data, has cost OneMain Financial Group a fine of $4.25 million.

The penalty "demonstrates the department's dedication to upholding the responsibility of licensees," said New York banking superintendent Adrienne Harris.

On its part, OneMain is looking beyond this episode. "Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise, in accordance with best practices for our industry and in cooperation with our regulators," said a OneMain spokeswoman.

Read more: New York regulators fine OneMain $4.25 million over cybersecurity practices
academy mortgage.jpg

Privacy data breach threatens Academy Mortgage

Academy Mortgage joined the ranks of lenders that have been targeted by cyber attackers this year after the hacking group AlphV, or Black Cat, demanded a ransom payment or else it would publish sensitive company and customer information.

"Considering the recent underwriting fraud case that your company faced in December, a privacy data breach could have a devastating impact on your reputation and credibility," read the threat post by the group. 

While the FBI recommends not paying ransom, the incident highlights the dilemma faced by mortgage lenders when threatened by cyber attacks, which have compromised more than 200,000 customers so far this year.

Read more: Academy Mortgage allegedly targeted by ransomware gang
loandepot.jpg

Eight-month lag in data hack reporting highlights inconsistent requirements

It apparently took only hours for LoanDepot to shut down a cyber attack which happened last August that put nearly 1,500 customers' personal data at risk. However, it took the company eight months to report it.

"LoanDepot identified brief unauthorized access to a small number of internal accounts; this access was terminated and the incident was remediated within three hours," said Joseph Grassi, chief risk officer.

Such a time lag is not uncommon for mortgage lenders, but is also symptomatic of the inconsistent reporting requirements across the U.S. that leave customers not only at risk from the threat of cyber attacks, but also the prospect of waiting months to hear about them.

Read more: LoanDepot says it quickly shut down a hack last August
cybersecurity.jpg

Cyber attackers' focus now includes vendors, too

Cybersecurity continues to be an issue in the mortgage industry, with ransomware attackers now going beyond lenders and targeting their vendors, too.

Although Carrington Mortgage Services was at pains to downplay the data security breach at its vendor Alvaria and did not disclose the number of customers affected, as one of the country's largest servicers, with $122.1 billion in MSRs, the firm is understandably concerned.

As part of its disclosure letters reporting the attack to state attorneys general, Carrington announced "an additional assessment of Alvaria's technical security measures… to help ensure this type of incident does not happen again."

Read more: Carrington reports ransomware attack at tech vendor 
MORE FROM NATIONAL MORTGAGE NEWS