In the wake of numerous, high-profile cyber security breaches that have afflicted some of the world’s largest technology companies, it’s incumbent upon financial professionals in particular – even in the reverse mortgage industry specifically – to be aware of cyber security threats and how to protect against attacks that can affect clients, business and employees.
This is according to a panel of experts discussing the topic of cyber security in the context of the reverse mortgage business, which was held at the National Reverse Mortgage Lenders Association (NRMLA) Annual Meeting in Nashville, Tenn.
High-profile data breaches
Setting the stage for the importance of observing physical and digital security, several recent high-profile breaches at major technology companies were highlighted. These include the July 2019 data breach at Capital One that compromised over 100 million records of its customers; a May 2019 breach at title insurance company First American Financial Corporation which affected as many as 885 million individual records from unknown numbers of customers; the 2017; and the 2017 data breach at consumer credit reporting agency Equifax that exposed the personal data of as many as 143 million people.
“If it can happen to these big marquee, publicly-traded companies, it can happen to anybody in this room,” says Mark Johnson, president of appraisal management company the LRES Corporation. “We need to determine how we take those headlines back to our own operations, and move forward in terms of coming up with a plan.”
While reverse mortgage companies come with their own sets of unique concerns, the fact that they deal with sensitive financial information belonging to borrowers means that special precautions need to be taken and implemented in order to safeguard companies, clients and employees. This is according to Sarah Cavanaugh, senior compliance officer at Finance of America Reverse (FAR).
“For FAR, we have a strong vendor management program under the legal/compliance umbrella,” Cavanaugh says. “We have a large wholesale division, and we need to make sure we conduct our due diligence and make sure they meet our requirements in compliance and risk management.”
Major areas of focus
The four areas of concern in this arena for any business, up to and including reverse mortgage businesses, are physical security; information security; compliance management; and oversight and enforcement. Physical security involves the actual security of the building the business operates in, and all of the sensitive physical objects (including paper records) that the business must be able to adequately protect. This can include attributes as simple as having secure doors and cameras on the premises.
“Physical security isn’t always about just security, sometimes it’s about safety,” says Jill Haro, SVP of corporate administration at LRES. “Safety comprises facilities, employees and systems. One key part of safety centers on emergency procedures, and making sure that everyone knows where they’re supposed to go in the event of an emergency.”
Compliance management involves a dedicated division that ensures the company, its partners and employees are all making sure that security policies are being followed, while oversight and enforcement examines legislative changes that can have an affect on the way that the company complies with applicable regulations.
Cyber security in the reverse mortgage business
Information security is a component that most people today refer to as “cyber security,” and involves technology, software, non-public information, and sensitive business and personal data. Increasingly, important documents such as disclosures can be communicated electronically, and because the primary reverse mortgage demographic centers on people over the age of 62, sometimes hurdles can be presented in making sure that necessary information security is upheld, Cavanaugh says.
“With our clientele, most of our clients are seniors. It’s been a slow process to get our customers adapt to the new world of electronic disclosures, email and communication,” she says. “We need to be really, really sensitive to that, because you cannot send non-public information, or NPI, without encrypting it, because otherwise you’re just leaving it open to the world.”
Specifically in terms of disclosures, a balance needs to be found in terms of both the ongoing customer service desire to make particular tasks easy, while also making sure that potentially sensitive data is sufficiently protected for both the good of the client, and the good of the company.
“If [a client asks] to be emailed a disclosure even with encryption, you have to actually have consent from the borrower to receive disclosures electronically, and that consent has to be granted electronically. That’s key,” Cavanaugh says. “You have to have ‘e-consent,’ and the ability to create an audit log where you can track their consent, when they opened [a document], when they downloaded it, and you have to retain that information.”
The general ease of being able to send and receive electronic documents does come with some risk, and making sure that the often narrowly circumscribed regulations are followed is essential in order to balance the ease of electronic transmissions with due-diligence to protect clients and companies alike.
“It is a balancing act,” Cavanaugh describes. “[Recently], we had a borrower’s daughter call our offices wanting to talk about the borrower’s loan. We did not obtain consent from the borrower to speak to her daughter, so that’s one of those points where a decision needed to be made. We can’t do that. As a salesperson it’s tough [to have to say no to that request], but as a compliance person there’s a lot of exposure that could put the company in really big trouble.”