Mortgage companies must focus on bolstering cybersecurity infrastructure, and should report any and all incursions from bad actors who seek access to sensitive information or who plan to encrypt systems to hold for ransom.
This was a core part of the thesis presented by Selim Aissi, cybersecurity expert and former CISO of ICE Mortgage Technologies (formerly Ellie Mae) during a keynote session at HW Annual in Frisco, Texas this week.
Ransomware attacks – in which a bad actor gains access to a target individual or organization’s digital systems, then encrypts them, and sells the decryption key back to the victim for a price – have grown significantly more sophisticated over the past several years.
This has led to a wider gamut of bad actors – including more “traditional” criminals, such as members of organized crime – to get involved in cybercrime.
Total losses from cybercrime exceeded $4.2 billion in 2020, Aissi explained. The most common forms of cybercrime in 2020 included phishing incursions, business email compromise (BEC) and ransomware, which has extended into 2021.
For mortgage companies, the best thing that can be done to defend against the first instance of an unauthorized incursion into its digital systems is proper education of staff to spot suspicious communications, and report them as soon as possible. Taking stock of a company’s most important assets and information is also paramount to success in trying to avoid becoming victimized by cybercriminals.
“The most basic step is to ensure where and what your assets are,” Aissi said. “If you don’t know those things, you can’t protect them. Focus on the most important things first, that’s important. Lenders work with Managed Security Service Providers (MSSPs), but […] focusing on the fundamentals is important.”
In terms of how prevalent ransomware is across the mortgage industry specifically, Aissi explained that dozens of lenders reached out during his time working as senior vice president and chief security officer at Ellie Mae.
“I don’t have an exact number, but I can say that in my six years at Ellie Mae, I got calls from about 30-35 lenders over the last three years [of my time there],” Aissi said. “Mid-size lenders are more likely to share that they need help with authorities. Over the past five months, I got calls from about five lenders who were down for a couple of weeks, and it got to the point where they actually had to engage with the adversaries for the decryption key.”
This means paying the ransom. In fact, of the mortgage lenders that admit to having been the victim of a ransomware attack, most of them end up paying the attackers for the decryption key, he said.
When asked by HW Media CEO Clayton Collins whether a mortgage company should report a cybersecurity breach to the Federal Bureau of Investigation (FBI) or other relevant authority, Aissi explained that collaborating with federal law enforcement as quickly as possible can be a notable difference-maker.
“As part of [a lender’s] ransomware playbook, the first step on that should be to get in touch with a federal law enforcement agency,” Aissi said. “They have a lot of ransomware decryptors, but even when it comes to business email compromise, they can help recover lost money.”