|

Combatting Cybersecurity Threats Requires A Multi-Layered Strategy

ByTMN Editor Reading Time: 4 minutes

By ERIN FLYNN JAY

There will be multiple challenges for the mortgage industry in 2025 from a cybersecurity perspective. The technology in use and interconnectedness of the industry can attract bad actors who want to disrupt companies and harm borrowers.

Edward Starkie, cyber security director at Thomas Murray, said the U.S. mortgage industry is a lucrative target for these bad actors, many of whom are financially motivated.

“Several very prevalent threat actors actively seek to exploit business processes by intercepting data and messages to redirect funds using man-in-the-middle attacks or cause both disruption and gain financially by deploying ransomware,” said Starkie.

Starkie said the existence of older technology and the fragmentation of the industry into smaller organizations increase the likelihood of successful cyberattacks.

Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions, said CEOs are increasingly concerned about the risks.

The rapid growth in identity theft, synthetic fraud, and account takeovers presents a challenge that is often far more complex than traditional on-premise security measures can address.

“Verification of application data is no longer enough with the availability of consumer personal information due to data breaches and as the digital economy expands and more consumer interactions move online, the threat of cybercrime and data breaches also grows,” she said.

More than ever, Sutherland said understanding the customer journey and behavior can help identify potential attacks in their early stages and prompt a response.

For example, a real-time, in-app message to the end-user/customer confirming that they are about to make an unusual payment and to verify they are not being coerced into doing this can help bring about a last-minute check and end an otherwise successful attack.

Sutherland said companies should supplement their authorization controls by safeguarding entry to systems, data, and applications with best-in-class digital and physical identity analysis and verification tools.

Sutherland said company leaders should also consider the risks associated with third-party vendors when developing a security plan.

“Protecting a company’s operations, reputation, and sensitive information requires careful management of risks associated with outsourcing to third-party vendors,” said Sutherland.

“This process, known as third-party risk management, involves steps like evaluating the need for a vendor to conduct an end-to-end program from conducting due diligence, selecting a provider, assessing risks, drafting contracts, onboarding, conducting ongoing monitoring and periodic audits, and eventually offboarding when the contract ends.”

Brad Blumberg, founder of Aster Key, said data breach costs in the mortgage industry are much higher than in other sectors, partly due to the regulatory and reputational damage involved.

“The average is $5 to $10 million, with larger companies facing even steeper costs,” said Blumberg. “For example, Loan Depot’s cybersecurity incident cost five times that amount. Even a $1 million breach can wreck annual financial results for mortgage firms, community banks, and credit unions.”

Class action lawsuits often follow breaches, sometimes costing more to resolve than rectifying the attack itself. 

“Google any affected lender and the word ‘breach,’ and you’ll see posts from class action attorneys looking for recourse,” said Blumberg. “Even large firms struggle to prove they’ve taken adequate precautions, as seen in the $500 million fine against Equifax for poor data protection practices.”

Blumberg said mortgage companies can guard against data breaches and cyber-attacks through two key strategies:

  1. Blocking and Tackling: Implement security measures and create a company-wide culture that prioritizes data protection alongside sales, similar to leaders like Apple.
  2. Be a Leader: Go beyond the “industry standard” to effect meaningful protection and change.

“Cybersecurity is both a technological and cultural challenge. The C-suite, from small credit unions to mortgage firms of all sizes, must prioritize key actions to mitigate risks. They must implement strict access controls and enforce role-based access and privilege for all employees. They also need to adopt multi-factor authentication and require it for all devices and systems,” said Blumberg.

Blumberg also mentioned the need for caution with vendors, saying leaders should take a close look at the risks associated with sharing customer’s data.

There are also security challenges to be considered in the real estate industry.

Nathan Richardson, founder of CashForHome.com, said in 2025 the real estate industry will confront new cybersecurity threats fueled by the adoption of even more digital tools and the management of ever-larger quantities of sensitive information.

“Specifically, there is the risk of cybercrime; most prominently, cyber-attacks on real estate firms that hold mortgage applications, tax documents, and banking records, which include sensitive personal and financial information,” said Richardson. “Hackers may target data held on operating platforms or real estate management systems run on the cloud.”

With the advent of smart buildings and devices connected to the Internet of Things, physical security will be problematic as well. Breaches in smart locks and security cameras could present a risk to businesses, Richardson said.

The most obvious way to mitigate cybersecurity threats is through employee training. Staff members should learn how phishing attempts are initiated and about secure communication methods.

The National Association of Realtors has a cybersecurity checklist of best practices.