The recent blackout of Ellie Mae’s Encompass360 on the last day of March served as a stark reminder of the vulnerabilities of the mortgage tech sector to Distributed Denial of Service attacks.
While Ellie Mae would later declare that no such attack happened, the thought still sticks.
Indeed, coincidentally, the Office of the Comptroller of the Currency issued a joint statement with other federal regulators to notify financial institutions of the risks associated with the continued distributed denial-of-service attacks and the steps that institutions are expected to take to address these attacks.
The joint statement refers institutions to resources to help them mitigate the risks posed by such attacks.
This guidance may only impact larger financial institutions but still serves as a best practice for smaller players, in any case.
The OCC said each institution is expected to:
- Monitor incoming traffic to its public Web site.
- Activate incident response plans if it suspects that a DDoS attack is occurring.
- Ensure sufficient staffing for the duration of the attack, including the use of previously contracted third-party services, if appropriate.
The final point is important because sufficient staffing won’t be enough, and I’ll explain why. As an industry, the mortgage space is not doing enough to train its people properly.
Never mind just in emergency response, but also on the front, proactive end.
We just aren’t doing a good enough job.
According to the Mortgage Bankers Association, independent mortgage banker productivity was two loans originated per production employee per month in the fourth quarter, down from 2.5 in the third quarter.
Independent mortgage banks and mortgage subsidiaries of chartered banks made an average profit of $150 on each loan they originated in the fourth quarter of 2013, down from $743 per loan in the third quarter, the Mortgage Bankers Association (MBA) reported in April in its Quarterly Mortgage Bankers Performance Report.
“Fourth-quarter production profits were at their lowest levels since inception of the Performance Report in 2008, driven by study-high costs in a declining mortgage market,” said Marina Walsh, MBA’s vice president of industry analysis. “One consolation was in mortgage servicing, where financial income improved. However, not all mortgage companies retained mortgage servicing rights or generated margins large enough to offset production losses. It is perhaps not surprising that only 58% of participating companies had overall positive pre-tax profits in the quarter.”
If the industry is going to get the mortgage production back on track, then production itself needs to be more streamlined and efficient. The system can be streamlined and efficient, but benefits little if people aren’t streamlined and efficient in using the system.
Never mind if the system itself can be compromised. Could Ellie Mae have avoided this incident? Perhaps, they’re certainly eager to put it behind. But, to be fair, of all the times Ellie Mae could’ve failed, right around now is probably not the worst time possible. Or at least, it could have been worse timing, like once the market already adjusted to new regulations or when spring selling is in full effect.
The point is, none of that matters in an environment where production is slowing down and costs are going up.
A full revamp of a firm’s work environment should be examined yearly with the aim to look for ways to change.
In my five years at HousingWire, there have been four rotations of newsroom culture, with each one producing clear improvement. We are now doing more, with less people and with lower costs (knock on wood).
If we did it, you can do it too.
The mortgage industry’s recovery is depending on it.