TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1205400
28 | M R EP O RT FEATURE process improvement routines that may be deemed necessary, can help avoid costly cybersecu- rity breaches. This will help to minimize or eliminate financial losses and prevent associated reputational damages. Risk Event Management C learly, mortgage bank- ing firms must embrace a technology solution that helps in preparing vulnerability assess- ments and penetration testing. A penetration test assesses the effectiveness of security controls by simulating a real-word attack that mimics current adversary techniques. Penetration testing is useful for illuminating unknown security weaknesses that could result in data being compromised. This enables the organization to identify cybersecurity weak- nesses and implement necessary safeguards and controls prior to an actual breach occurring. It also assists mortgage banking firms in developing a comprehensive set of documented cybersecurity policies and procedures through clear identification of control gaps opposite critical processes. It is critical to have a technology solu- tion that can help determine the existence and possible exploita- tion method of vulnerabilities associated with network hosts, devices, and applications from the perspective of an intruder target- ing the systems from the internet. Multi-factor authentication and risk-based authentication is neces- sary to protect against unauthor- ized access to private non-public information or systems. What About the RMBS Process? O f course, it goes with- out saying that the entire mortgage-backed securitization process is at risk relating to cybersecurity weaknesses and attacks. Deal structurers, issuers, sponsors, private-label investors, government-sponsored entities (GSEs), bond/mortgage insurers, and trustees—to name a few—are all vulnerable when it comes to the protection of data relating to mortgage securitizations. From tape cracking, to data aggregation, to putting together confidential deal documents, to protecting and sharing proprietary borrower in- formation—the threat of cyberse- curity weaknesses and attacks are very real and pose significant risk to all parties involved. In a mortgage software solu- tions blog published back in May 2015, author Justin Kirsch noted that "the mortgage industry is particularly vulnerable to digital breaches because of the number of parties involved in the shar- ing of sensitive data." Since that time, security breaches and other disruptions have only increased due to the rise in more advanced technologies and increased sophistication of cyber predators. The proprietary and confidential nature of in-process deal securiti- zations is also subject to cyberse- curity attacks. As a primary example and to further illustrate this point, consider the sponsor—the firm that has originated or purchased a given quantity of mortgage loans, groups them together to form a pool and subsequently issues a security backed by underlying mortgage loans. In the ordinary course of business, the sponsor will acquire and store sensitive data—including intellectual prop- erty, proprietary business informa- tion, and personally identifiable information of prospective and current borrowers, employees, and third-party service providers. Given the criticality of the secure processing and main- tenance of this information, the loan sponsor's information technology and infrastructure may be vulnerable to attacks by hackers or breaches attributable to employee error, malfeasance, or other disruptions. Any such breach could compromise its net- works, and the information stored therein could be accessed, publicly disclosed, misused, lost, or stolen. Any such access, disclosure, or other loss of information could result in legal claims or proceed- ings, regulatory penalties, or li- ability under laws that protect the privacy of personal information, disruption to the loan sponsor's operations and the services it provides to customers, or damage to its reputation—any of which could adversely affect the opera- tion, reputation, and competitive position of the loan sponsor and, in turn, the borrower. Effectively managing cybersecu- rity risk cannot be accomplished without having a suitable end- to-end technology solution that enables management to proac- tively take preventative measures before a breach occurs. Having an automated and robust risk solution for managing operational risk, internal control, and regula- tory compliance is critical so that mortgage banking firms have the essential tools that are needed to effectively manage cybersecurity risk and undertake the neces- sary preventative actions ahead of security breaches. . VINCENT SPOTO has more than 25 years' experience in the mortgage banking and financial services sector. He has held senior management roles with JPMorgan Chase, Citigroup, and Credit Suisse, and is known as a subject matter expert pertaining to loan servicing and default management. Currently one of three Founding Partners and a Managing Director of RRMS Advisors, Spoto is a seasoned mortgage banking professional who provides advisory and consulting services relating to mortgage loan servicing, servicing surveillance, default management, asset disposition, and loan securitizations. Given the widespread use of third- party service providers and vendors across the mortgage finance industry, it is important that all third-party entities used have the necessary controls in place to protect and safeguard consumer and investor information and data. A robust and formal third-party vendor surveillance process must be put in place.