MReport February 2020

TheMReport — News and strategies for the evolving mortgage marketplace.

Issue link:

Contents of this Issue


Page 27 of 67

26 | M R EP O RT FEATURE take remedial action after the fact. Therefore, taking preventative actions is crucial. At a minimum, such remedial actions should ad- dress the following: • security incident and event management (SIEM) • data loss prevention • patch management and soft- ware vulnerabilities • penetration testing • firewall administration • development of business con- tinuity and disaster recovery plans (with related testing) • vendor/third-party service pro- vider risk management • systems security processes and procedures • cloud security • web application development and security reviews • compliance with Sox, HIPPA, and other applicable govern- ment laws and regulations Having a technology solution that focuses on prevention and encompasses the critical compo- nents of cybersecurity that are outlined above is indeed prudent and most optimal. Investing upfront in an appropriate tech- nology solution can help forgo potential losses associated with data security breaches; by running the risk of not doing so [invest- ing upfront], mortgage banking entities expose themselves to a wide array of issues. In addition to losses associated with data security breaches, mortgage bank- ing firms also open themselves up to costs associated with lawsuits, fines, and penalties assessed by regulatory and governing bodies, etc. Data breaches may also lead to a decline in consumer/inves- tor confidence, cause significant reputational damage, and result in the loss of existing business and/ or the forfeiture of new business. Security Roadmap and Operational Risk Management P reparing a comprehensive en- terprise security roadmap and risk assessment focused on the mortgage banking entity's overall information management effective- ness is critical. It is essential to have in place a security roadmap and a prepared risk assessment that encompasses a wide range of areas including network and server architecture governance, risk, compliance, operational controls, security policies, pro- cedures, and oversight. Such an assessment should include detailed information concerning security gaps, along with a prioritized roadmap to assist with reducing overall risk by helping to prevent and minimize security incidents and breaches before they occur. Controls and risks should be ana- lyzed against ISO 27001 and NIST 800 security standards, as well as with other generally accepted industry practices. Having such an operational risk management infrastructure in place will likely build confidence (i.e. among regulators, investors, consumers) that the mortgage banking entity has the neces- sary controls in place to proac- tively safeguard against potential cybersecurity risks. This may be particularly true of regulators and investors who will have a deeper understanding of the risks associ- ated with cybersecurity breaches. Building a Comprehensive Security Program B uilding a comprehensive se- curity program that factors in applicable business laws, regula- tions, and standards is a key step in dealing with cybersecurity risk. Developing specific organizational policies and programs that create an overall risk engagement strat- egy is highly recommended. In addition, mortgage banking firms should have a robust and formal risk-management oversight pro- gram in place to ensure optimum value exists across all vendor and third-party relationships to maxi- mize quality, strengthen control, protect information and data, minimize risk, and reduce cost. Given the widespread use of third-party service providers and vendors across the mortgage finance industry (i.e. property valuation/BPO providers, whole- sale originators, property managers, skip-tracing agents, foreclosure and bankruptcy attorneys, title agents, mortgage insurers, etc.), it is im- portant that all third-party entities used have the necessary controls in place to protect and safeguard consumer and investor informa- tion and data. A robust and formal third-party vendor surveillance process must be put in place. More specifically, mortgage banking firms should have formal processes established to ensure that vendor/third-party assess- ments are done on a consistent and periodic consistent basis. Protocols should exist to help identify issues and ensure that necessary remedial actions are taken by third-party vendors being utilized. Additionally, root-cause analysis should be conducted relating to any systemic issues that may be identified so that necessary controls and preventative actions can be deployed to prevent future data and cybersecurity breaches. Furthermore, poor performers and repeat offenders should be replaced with more qualified suppliers in order to safeguard information and contain risks associated with data breaches. Risk and Control Self- Assessment (RCSA) H aving a robust Risk and Control Self-Assessment (RCSA) feature is an essential component of having a proactive and preventative cybersecurity risk management process in place. Firms should invest in a technol- ogy solution that allows manage- ment to perform targeted testing in advance of cybersecurity breaches. This is critical so that controls can be implemented and/ or strengthened as necessary. Furthermore, RCSA is a critical component that should be built into the cultural foundation of any mortgage banking organiza- tion so that the workforce is dedicated to continuously improv- ing processes and underlying controls. Taking such a proactive stance, along with implementing Mortgage bankers should consider having one end- to-end technology solution that can assist them in getting out in front of those latent and hidden risks that may cause damage.

Articles in this issue

Archives of this issue

view archives of TheMReport - MReport February 2020