2016 saw numerous security breaches, including the successful breach of the Democratic National Committee’s computer systems, where hackers were able to work for seven months, sending phishing emails that ultimately scored a huge win: the account of John Podesta, chairman of Hillary Clinton’s presidential campaign.
Financial institutions continue to battle malicious attacks from every side and even the august New York Federal Reserve proved it was vulnerable when cyber thieves walked away with $80 million in February 2016. A serious threat across the world, Lloyd’s estimated in 2015 that cyber attacks cost businesses as much as $400 billion a year, and a Forbes story from January of this year predicts that number to quadruple by 2019.
Last year, the number of data breaches in the United States reached an all-time high of 1,093, a 40% spike over the 780 reported for 2015, according to a new report from the Identity Theft Resource Center and CyberScout.
2017 isn’t shaping up to be any better. One of the first notable attacks of the year occurred shortly after New Year’s Day. On January 11, London-based Lloyds Banking Group experienced a two-day-long distributed denial of service (DDoS) attack across the group’s websites, including Halifax and Bank of Scotland.
The attack made it difficult for customers across Lloyds’ brand sites to log in to their accounts. The company initially denied it was under an attack and blamed the breakdown in services to “technical issues” but it was later revealed to be a DDoS attack, a type of intrusion where the perpetrator uses thousands of unique IP addresses to assault the bandwidth or resources of a targeted system. The end result is to deny legitimate site users access to a service or website.
The attackers did not get very far with Lloyd’s. IT security experts with the bank “geo-blocked” the source of the attack, effectively blocking the attackers over the server from launching the attacks. Unfortunately, the geo-blocking measure also prevents legitimate customer requests for that area, too. The attackers then move to another server, and the geo-blocking game begins again.
With these growing threats, it is now critical that companies in the mortgage finance space develop an information security plan, and make sure their vendors are covered too.
It’s not enough to ensure the data of one company is protected, the next step is to make sure that any third-party company involved is also serious about protecting information.
ONE COMPANY’S APPROACH
In the midst of this cyber war, one third-party vendor is taking serious measures to ensure its employees are handling sensitive information carefully, minimizing the risk the information could fall victim to an attempted hack. Black Knight Financial Services uses constant and consistent employee education to create an environment where each employee is held responsible for what they click.
Peter Hill, chief risk officer for BKFS, explained the company’s commitment to protecting consumer data. “As a premier provider of technology to the mortgage industry, we are committed to and laser focused on protecting our client’s data. Because opportunities for risk never stop, we continuously implement new and innovative ways to mitigate this risk.”
BKFS uses a variety of methods to keep employees on their toes, including phishing training to test employees on potential phishing scams. On a monthly basis, BKFS uses the PhishMe simulator to send a potential threat email to employees as a test. There’s a built-in button that users can click to alert the IT security department of the threat, or employees may open the email, alerting the company that there’s a need for more specific training. BKFS began sending the tests to limited audiences at the end of 2014 and steadily increased to 100% of employees in 2016. Since implementing monthly testing, the success rate (the rate of employees that report the email versus opening it) of the tests has improved significantly, with recent months showing more than a 100% improvement.
The simulator program received the 2016 award for Best IT-Security Related Training Program from the SC Awards, which celebrates the top performers in the information security field.
WHAT IS PHISHING?
There’s a reason BKFS decided to target emails.
The annual ITRC report breaks down the 2016 breach data by type of occurrence, and for the eighth year in a row, hacking, skimming and phishing attacks were the leading cause of security breaches, making up 55.5% of attacks, a 17.7% increase since 2015. According to ITRC, many of these were a result of CEO spear phishing attempts.
Better known as email compromise schemes, these attacks expose highly sensitive information, including Social Security numbers and business tax information. Taking advantage of users by email, these scams are known for tricking customers into giving out personal information such as credit card numbers, passwords, and bank account information.
Phishing emails are deceptive in nature. They are made to appear like a legitimate email from someone you know or are expecting to hear from. Hill explained that an employee could get an email around Halloween, for example, about a costume dress code. The email would ask the recipient to follow a link to retrieve the document and that link immediately creates an exploitable vulnerability in the system.
Malicious emails are becoming more sophisticated and more realistic every day. Emails disguised as messages from popular services like Netflix or Gmail are tempting for anyone to open at first glance, so constant and effective training is necessary to help employees recognize a potentially threatening email.
“Our employees are our first line of defense in risk and security management, which makes finding effective training and awareness techniques critical to the safety and soundness of the company,” Hill said. “Continuous education on information security is the only way to make employees aware of and teach them how to avoid the behaviors that may put a company at risk.”
Hill stressed how crucial the “tone at the top” is regarding information security, because employees are more likely to understand the gravity of the issue if they understand its importance for upper-level executives.
“The employees won’t get that impression unless they hear it from the top,” Hill said.
Financial institutions and the vendors they hire can implement different cyber defense strategies such as white hat testing, which is where an ethical hacker or cyber security expert attempts to hack, or breach, the system to find any flaws, plus data encryption, multifactor authentication and network segmentation.
The threat landscape is evolving exponentially. Data thieves are getting bigger and better and may not only have money in mind when they hack. Hacktivists and nation-state hackers may have other motives for stealing personal data and information. The hack on the Office of Personnel Management in 2015 compromised the sensitive information of 22.1 million people, but no one knows, even now, what those records have been used for.
“These are not just teens hacking into companies from the garage,” Hill said. “They don’t just break in to steal data, it’s also done to damage reputation and to damage the website.”
It’s that type of reputational damage that hurts smaller financial institutions and vendors the most. Hill explained that while smaller companies may not have the budget or resources to implement a high-tech information security plan, they also don’t have the same number of customers and may not see the same number of threats that larger companies, like JPMorgan Chase and Bank of America, do. But, larger institutions are able to afford to have fully developed IT departments to oversee security and monitor for any potential vulnerabilities or threats and implement countermeasures when threats do arise.
Regulators have been warning companies in the mortgage space for years that they need to take this issue seriously. While the Federal Trade Commission has typically been the enforcer of data security policies, the Consumer Financial Protection Bureau, emboldened with its reach of authority, has also entered the data security enforcement field.
In March 2016, the CFPB took action against online payment system company Dwolla, Inc. The CFPB alleged Dwolla engaged in deceptive business practices by failing to maintain adequate data security practices by not adopting and implementing reasonable and appropriate data security policies and procedures.
Dwolla settled with the CFPB, agreeing to cease misrepresentation of its security measures and practices, implement comprehensive (and no doubt, costly) data security measures and policies, hire or designate a qualified person to oversee and coordinate a data security program, repair existing security weaknesses found on web and mobile applications and, of course, pay a $100,000 fine.
While proponents of regulation argue the need and effectiveness of having the CFPB oversee data security, the irony is that the CFPB has its own work cut out for it in this regard. In October 2016, the Office of the Inspector General released a memorandum outlining four management challenges for the bureau.
The area of most importance? Ensuring an effective information security program.
“Although the CFPB has transitioned its IT infrastructure from the U.S. Department of the Treasury and continues to mature its information security program, it faces challenges in fully implementing its information security continuous monitoring program, including a comprehensive data loss prevention system, and overseeing the security of contractor-operated information systems,” the memo read.
The OIG concludes in the memo, addressed to CFPB Director Richard Cordray, that the bureau does not have a comprehensive set of policies for some areas and that its staff were not completely aware of and compliant with existing procedures and policies.
In September, the New York Department of Financial Services unveiled a set of cybersecurity regulations designed to beef up security measures for banks, insurance companies and other financial services companies that operate within the state.
The regulations require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting “certain regulatory minimum standards” and require additional levels of security when working with third-party service providers, as most lenders do. The third-party servicers should expect these regulations to trickle down to them, as well, if they are working with sensitive financial data.
Revisions made to the NYDFS regulations late in 2016 created a small business exemption for companies that have less than 10 employees, $5 million in gross annual revenue, or $10 million in year-end total assets, providing some relief to smaller banks and lenders, who are the ones who truly feel the burn from data breaches. Unlike their larger counterparts, small community banks and credit unions can’t always shoulder the cost of an attack on confidential user data.
Money aside, the biggest loss for a company can be losing a consumer’s trust and business.
“These are valuable assets your customers have entrusted you with,” Bill Kresse said. Kresse is an assistant professor at Governors State University in Illinois and is the former director of the Center for the Study of Fraud and Corruption at Xavier University.
“Just as you wouldn’t use a cigar box to hold valuables, don’t use something basic for private information. If a company is breached, customers won’t just feel their own losses, they’ll feel betrayed.”
Kresse said the costs for a company that has been breached is about $7 per consumer breached, but the costs incurred by the consumer go well beyond just money. The effects of having personal information stolen can last a lifetime, involving months of work to clean up and recover personal data and deter further use of that data for illicit activities, like signing up for credit cards, payday loans and wire transfers.
“It can last until after you’re dead,” Kresse said.
Financial institutions that don’t give enough attention to data security are underestimating the long-term impact that a data breach will have on their bottom line — and their reputation. Fighting on the front lines of this battle, companies in the mortgage industry have to be constantly and creatively vigilant.