Recently, Capco consultants sat down in an intimate forum with chief information security officers (CISOs) from several mortgage lenders to hear what was on the top of their minds and learn about several of their most important cybersecurity initiatives. These lending organizations cover a wide spectrum of sizes, service offerings, and geographic footprints, but they shared several common struggles.

Safeguard all vectors, regardless of budget. Cybersecurity budgets vary, but all companies are expected to cover the same bases in terms of securing the organization and its customer data. Cloud security, remote and distributed workforces, governance, third-party risk, and data privacy are just a few of the many challenges facing mortgage lenders.

Foster cybersecurity culture. The industry has a long history of paper-based transactions that still affect behaviors today. Despite digitization efforts and numerous collaboration solutions, employees and partners still share information on insecure channels and stonewall efforts to move the user experience to secure platforms.

Buy today, secure it tomorrow. When choosing technologies, mortgage lenders slant heavily toward a “buy and integrate” mindset over building their own platforms. This allows these organizations to take advantage of security investments made by vendors, but it often leads to a large and fractured ecosystem of SaaS offerings. Individual business groups often buy these products directly, bypassing vendor management or third-party risk governance processes. Cybersecurity becomes an afterthought and security teams must layer security into these new services without affecting user experience or performance.

CISOs have various ways to mitigate these challenges, but there are three areas that continue to emerge as focus areas for this year:

• Identity and Access Management (IAM) – Mortgage lenders have implemented or are moving toward SaaS-based identity providers and mature access management solutions that support diverse workforces and integrate with a range of other cloud services. More work is needed to educate stakeholders and functional managers that installing these tools is only half the battle. Existing applications must be integrated into these platforms to secure them and make on- and off-boarding processes more seamless. Managers must own the access review and certification process to prevent privilege creep and unauthorized access. This requires education and a cultural shift where managers embrace their role as a sentry that maintains least privilege.

• Safeguarding the close process across partners – Mortgage lenders partner with as many independent brokers, title agencies, and closing companies as possible to give their clients flexibility. These third-parties typically have less mature cybersecurity practices and capabilities, and the fractured nature of this partner ecosystem makes it challenging to enforce security requirements. Seeking a reasonable, minimal checklist of cybersecurity requirements for partners to follow is a common goal, but executive buy-in is a necessity to ensure that functional groups will only work with affiliates that meet these conditions. A stretch goal is to establish a central clearinghouse that securely validates and safeguards payment information across the partner ecosystem.

• Use layering to minimize risk and encourage compliance – Layering, or defense in depth, is a common strategy for deploying security tools and establishing multiple levels to stop an attack. It can also be used to nudge business groups toward complying with procurement and data privacy policies. Mortgage lenders often have policies that mandate vendor governance and cybersecurity reviews before new services or products are acquired. However, individual business groups will often acquire products to satisfy a need quickly and ask for forgiveness later. CISOs have bolstered these policies by setting up notification processes with supply chain, vendor management, and accounting groups to be on the lookout for requests, transactions, and expense reports that indicate the purchase of such services.
  

Employees will also look for the path of least resistance to receive customer files quickly and prevent burdens on the customer. These actions involve sensitive data being sent over unsecure or unauthorized channels that put customer data and regulatory compliance at risk. Consider leveraging email inspection and data loss prevention (DLP) tools to intercept and encrypt messages or replace with a link to a secure file share.

The challenges and initiatives the CISOs shared are relevant for mortgage lenders of all sizes and for many organizations outside of the lending space. The discussion showed that organizations recognize the importance of cybersecurity, but taking the secure path is not yet the default mindset.

For more information on these topics and how Capco has helped clients with efforts like these, please contact Robert Furr at Robert.Furr@capco.com.