Mortgage lenders brace for costly new AI security rules

December 10, 2024 5:00 AM

Increasing regulations from state legislatures mean mortgage players should budget for more cybersecurity spending, according to Richey May.

The Federal Housing Administration last week formalized a 36-hour reporting requirement for cyber incidents, keeping it in line with guidelines by other federal and state financial agencies. Home loan companies will also have to comply with more consumer protections, such as a first-of-its-kind artificial intelligence law in Colorado.

Michael Nouguier, chief information security officer and director of cybersecurity services at Richey May.

"I would expect in the mortgage space, a maybe 10% to 15% increase in their cyber spend year-over-year," said Michael Nouguier, chief information security officer and director of cybersecurity services at Richey May. "It's potentially something that's going to have to happen for them to comply and be secure."

The Denver-based company provides auditing, tax and cybersecurity services for mortgage companies and is working with its clients to prepare for the year ahead. Nouguier spoke with National Mortgage News about cybersecurity developments mortgage participants should watch for heading into the new year.

This interview has been edited for length and clarity.

What regulatory requirements should lenders prepare for?

Michael Nouguier: We're gonna see AI regulations coming. The one that's most relevant is Colorado's Consumer Protections for Artificial intelligence law, which impacts mortgage banks specifically more than other financial institutions. The way that law was written was that banks don't have to comply with the act outside of the mortgage banking arena. (Banks and credit unions subject to other state and federal regulations are already considered compliant with the law).

That's a large focus for mortgage banks because it's a massive increase in effort and costs to comply. That goes into effect in 2026, but 2025 is going to be the year of preparation. Organizations have to set some pretty stringent requirements for their AI vendors and their AI usage.

What you're going to see cropping up all of 2025 is that other states are going to follow Colorado, basically making the mortgage bank liable for any AI-produced response to a consumer. It's pretty contentious in the industry. It requires that anybody in Colorado leveraging AI, whether or not you're based in Colorado or you're just serving consumers, has to be compliant.

This is requiring an annual risk review of your AI third parties, which could increase costs, given the loose definitions in the rule, by thousands or tens of thousands of dollars per AI vendor that you're going to leverage. If it's fully implemented without changes, mortgage banks are going to have to consider what AI companies they want to take on the investment of vetting to use.

With all the regulations from a state perspective, we'll start to see a trickle-down effect. You saw California's Consumer Privacy Act passed, then we started seeing other states talk about it, other states passing it, other states implementing reviews of legislation. This is just going to be wave two as we move forward.

What are some examples of AI errors?

Michael Nouguier: The opportunities for error are endless as we start to integrate AI with everything. It can be making a decision on a loan that leverages AI. If that decision is wrong or the AI error impacts somebody negatively, the lender is liable. It could be an email response that was written in AI that made a mistake and somebody didn't vet the output.

The idea behind the [Colorado] law is we can't fully rely on AI to automate what we're doing for our consumers. In the mortgage space that's everything. It could be an underwriting decision. It could be a marketing decision that leaks private details of somebody and makes a mistake in a mail merge.

What we'll start to see is really thorough contract negotiations between mortgage banks and their third parties. There's going to be a lot more due diligence involved in vetting and integrating technologies that have AI.

What lessons should lenders take regarding security updates, following the Crowdstrike incident?

Michael Nouguier: A lot of the things that we've consulted on after Crowdstrike is, how can we build maturity in those processes inside of your environment. It's not just Crowdstrike. It's Microsoft, Apple, it's any update that can be made on a computer that can negatively impact an organization if it hasn't been tested effectively.

The organizations that thrived when CrowdStrike had their issue were the ones that didn't have automatic updating. They had the maturity and the capability to test those updates, identify that they worked, and push them out systematically. It's a common change management mentality.

With something like Crowdstrike, most organizations usually stick with the default to automatically update. But there's potential for negative impacts from stuff like that. The more mature organizations have the resourcing capability, skill sets and effort on their team to perform this. They take security updates and test them thoroughly inside their environment.

You'll see this a lot in aerospace. You can't automatically push an update to a satellite and have the satellite go down when it's far away. You have to thoroughly test that in a sandbox before you deploy it.

How are cybersecurity costs evolving?

Michael Nouguier: Any time that there's more regulation, you tend to see costs increase because people start to move to cybersecurity services. I think that there's going to be a pretty decent increase in spending globally in cyber next year as organizations have to comply.

Secondarily, there's sections of the technical and cyber landscape that include privacy. That's starting to drive up spending in organizations that have to comply with privacy acts.

I would expect in the mortgage space, a maybe 10% to 15% increase in their cyber spend year-over-year, is potentially something that's going to have to happen for them to comply.

That being said, we're seeing the costs of services in certain areas go down because competition is increasing. Typically when something is heavily regulated and required, you create this demand and surplus of organizations that are looking to make a quick buck and hopefully provide services that somebody needs at a lower price.

Over the last several years, the cost of penetration testing in the mid-sized market has started to decrease. But what's increasing is the scope. You're starting to see automation take effect there and decrease the price of certain services in the space.

Are cyber insurance costs rising?

Michael Nouguier: I've got a bunch of stories about organizations whose cyber insurance policies have doubled and tripled year-over-year, similar to homeowners insurance. As we see more and more organizations impacted, whether you've been impacted or not, your costs are going to increase for cyber insurance.

I have seen organizations forgo cyber insurance. There's not a requirement a lot of times for organizations to have that. At that point you'd be considered self-insured. When I first started in the space, you used to be able to get a cyber add-on for a couple hundred bucks to your professional liability insurance. Nowadays, we've seen policies cost several hundred thousands of dollars per year for millions and of dollars [of coverage].

If you're paying, for example, $650,000 a year for a $5 million policy, you're already out almost a fifth of the cost. You or the insurance company are basically assuming that you're going to get breached that year. You could understand why an organization would say, I'm paying three quarters of a million dollars for a $5 million policy that I may never cash in on. Is this the best route to go? Or should I go the self-insurance route and stash $5 million away in a fund that I can leverage in the event of an incident? So we do see organizations decide to go that route.

I also have seen organizations decide not to renew their cyber insurance, and then get hit and they don't have the money to financially move through it, so it ends up with them shutting their doors. Not specifically in the mortgage space, but in general.

That's their prerogative. If regulation is requiring it, like the New York Department of Financial Services which requires that you get an annual pen test, foregoing that would mean that you would be risking your licensure. It's always better to be prepared than to risk it, have a breach, get audited and caught, and potentially fined on top of being breached.

What other advice would you give to mortgage companies?

Michael Nouguier: If you get breached, there's a higher likelihood that it will impact you severely enough that you may not be able to survive that from a business perspective. When looking at what budgets you can cut, cyber security is probably not one of them.

Focus on how you can extend the dollars you have in your budget to provide you what you need to remain resilient. A lot of organizations lack direction on how to move forward in these spaces, so making sure they garner that direction and build a roadmap for success in cybersecurity is really the best place to start for 2025.