The recent ransomware attack on
“This incident highlights the risk within not only the title industry, but all industries, of a potential cyber event and the impact of a single point of failure within the system,” said Gerry Gomblicki of Fitch Ratings in a report on the incident..
That point of failure exists in weaknesses in hardware, software and mechanical infrastructure along with other key entities in the supply chain, including cloud providers
“In particular, a long-lasting cloud outage at a major cloud provider, or an attack on a common software used by an industry segment or across industries, will have a disproportionate impact than an attack on a single entity,” Glombicki said. “Therefore, it is critical for companies to not only monitor their direct attack surface but also that of their supply chain and significant vendors to ensure operational resiliency in the event of a cyber attack.”
A watershed moment for the title industry came in 2013, when the American Land Title Association
But a lack of specifics led to a lack of uniformity across the industry, recalled Aaron Davis, CEO of the Florida Agency Network, which is a title and settlement services provider.
"So some people went super far right with it, and said 'Alright, we're going to do everything in our power, we're going to have assessments done, daily penetration testing done,' all these additional firewalls and security," he said.
At first, his company had a lot of site audits from the larger entities that employed its services, but those initiatives seem to have been relaxed in recent years, he continued.
Things started to change again last March as workplaces were forced to close their doors because of COVID-19. Shifting to the work-from-home environment, including moving data into the cloud, was one of the positive outcomes of the pandemic, Davis said, adding "everyone did adapt and move to more secure operations that way."
Data security has always been a top of mind issue, but ransomware might not have been the focus.
"For the last five years, it's all been around
Whether it was COVID-19 or a natural disaster like hurricanes or last winter’s
That preparation helped Florida Agency Network approximately three years ago when one of its smaller offices was damaged in a fire. Even back then, his company relied on cloud data storage for its approximately 30 offices.
The damaged office was operational in another location just miles away, Davis said. "Clients didn't even know that we had this emergency. Because we were cloud-based, we just popped up laptops, and it was business as usual. Our clients did not experience any downtime."
When asked if the Cloudstar attack made him reevaluate Florida Agency Network's plan, Davis said "I think any type of anything that happens, it certainly makes you review once again, so we are looking. You've already felt pretty confident in your infrastructure, but now you're looking once again, reviewing your third party vendors and whoever has additional access to the data."
That includes repairmen and other authorized users who can tie into the company's information technology structure; malware can be introduced from outside
"We've certainly dedicated a lot of time and effort to ensure that we don't have business operations as a result of any event, whether it's a security incident, natural disaster or ransomware," added Doug Horton, chief information officer at Lenderworks. "But every time this comes up I always think, 'Okay, let's go back and review. How are we doing? Is there anything new we should be considering?'"
No matter what defenses are put up, "the nefarious actors" will try different ways to get at a company's data and systems, he said.
"It involves, not just technology, not just hardware systems and services and diligent dedicated information security professionals, it's your staff up and down the line," Horton said. "You're educating them, testing their readiness, and ensuring that they understand not to take everything at face value."
Companies must use a multilayered approach to protecting against any of these types of incidents. "There's no one silver bullet to protect you," Horton warned.
When he started at Lenderworks four years ago, a robust plan already was in place. "As we've marched forward and adopted new technologies, those plans and those policies and procedures have to constantly be updated and make sure that we're accounting for the new widget that we installed last year," he continued.
Both Lenderworks and Florida Action Network have undergone
"That was a very good exercise to ensure that we were covering all of our best practices in terms of disaster recovery, business continuity and security considerations," Horton said.
There needs to be a top down commitment from ownership and management when it comes to information technology security practices.
"It's not an IT technician's job; it's really the entire company's job to ensure we are prepared," Horton said. "We have technology that scans our network for vulnerabilities, we have behavioral analysis technology that watches for things that don't look right, like if so and so just deleted 200 files."
On the other hand, some potential clients might not be as ready, and so "that's where we come in and say, let us help you because we have a very comprehensive program [and] really take advantage of our experience," he said.
But even after measures like the
Redundancies should also be built in. Even though the data is in the cloud, a copy should reside in a separate space or on a different media type so that a backup can be employed.
"Being in the cloud presents a different risk profile," Horton said. "But there's more capabilities readily available to you that you can turn on very quickly, and we've taken advantage of those."
ServiceLink, which provides valuation, title, flood and default services, has a dedicated business continuity division responsible "for the ongoing testing and validation of our business disruption plan and protocols to ensure they are reflective of what the market, and our clients, are experiencing in real time," said Matt Woodhouse, managing director, valuations.
Even with its measures in place to ensure business continuity before the pandemic, including being equipped to allow staff to work from home, ServiceLink had to pivot in real time as so many others in the mortgage industry did.
After all, the Consumer Financial Protection Bureau holds mortgage lenders accountable for
"We make sure to always keep in close contact with our lender clients on business disruption planning to ensure they feel supported and have an active seat at the table as any measures we have in place also impact their business," Woodhouse said. "We never want to do any of this planning in a vacuum."
Clients have provided input to ServiceLink about how it can strengthen and make processes better.
"Alternatively, we always ensure that we are reviewing our third-party partnerships and the risk protocols they have in-place on their end to ensure our data is secured and protected as well," Woodhouse said. "It is everyone's collective commitment to mitigate risk and we take that responsibility seriously."