Data Security & Privacy Breaches: What Mortgage Brokers Need to Know!
February 20, 2020
Mortgage Brokers and Administrators are among the most valued members of the financial services industry. That’s the good news. The bad news? Cybercriminals target the financial services industry more than any other. Why? Because of your access to confidential personal and financial information, not to mention your valuable third-party connections to lenders, credit agencies, investors, law firms, and more. Simply put, you either have the type of personal information that cybercriminals seek, or you’re a gateway to it.
A breach is all but inevitable; it’s just a matter of how soon it happens. According to the 2022 CIRA Cybersecurity Survey, 44% of Canadian businesses indicate that their organization has experienced an attempted or successful cyber attack in the last 12 months.
Why are Mortgage Brokers vulnerable?
1. Insufficient Cybersecurity
Unencrypted connections, misconfigured servers, unpatched systems, and other gaps in network security are clear entry points for opportunistic cybercriminals to infiltrate your network and compromise data. But while larger corporations can afford to harden their defences, many small-and-midsize brokerages lack the funds to invest in proper safeguards or the personnel to maintain their upkeep once implemented. Many also rely on personal devices or free resources, like Gmail, Dropbox, or Zoom to conduct business, which are challenging to adequately secure.
Additionally, with many Mortgage Brokers—and their clients—now working from home or working-on-the-go, attackers’ digital entry points have increased exponentially, with extra exposure from weak home security or even public Wi-Fi networks.
2. Human Error
The typical mortgage brokerage has a fast-paced, entrepreneurial culture. While this environment is conducive to sales, it poses a threat to data security. To close a deal quickly, your employees and subcontractors may bypass security rules by using a personal email to send client information or improperly accessing data that resides with your cloud services provider. Or they might be so distracted that they misplace a personal device or fail to securely dispose of a client file; these actions could all easily put you at risk of a breach.
The rise of remote work has compounded these issues. With everyone working far away from the direct oversight of IT staff and senior leadership, employees might be less vigilant about installing software updates, maintaining password hygiene, or using a secure connection. Alternatively, they might simply be unaware of how to handle sensitive data or even recognize the signs of a phishing attack or a breach.
3. Third-Party Compromise
Many entrepreneurs falsely believe that doing business with a major cloud service provider (CSP), such as Amazon or Apple, or even a credit agency like Equifax, absolves them of any responsibility in the event of a breach.
However, under federal privacy laws, your brokerage is legally obligated to protect your clients’ data every step of the way, whether you’re storing it onsite, in the cloud, or running a credit check. Using a third-party to collect, store, process, or otherwise handle data won’t transfer your liability. You can still be held accountable—you could still be sued for failing to protect client data—even if you’re not at fault.
What are the consequences?
Unfortunately, the repercussions from a cyber incident can be severe, leading to lasting financial, legal, and reputational harm. Without proper protections in place, you risk losing permanent access to mission-critical data. And as a custodian of personally identifiable information (PII), you could face penalties of up to $100,000 per violation under Canadian privacy laws if you fail to collect, retain, or dispose of personal information in your custody or report a privacy breach.
And that’s just the tip of the iceberg. Then there are indirect costs, like client notification, investigation, system downtime, business interruption, and legal fees from any client suits. In fact, IBM Security’s 2022 Cost of a Data Breach Report puts the average cost per lost or stolen record in the financial services industry at $520.
Even worse? Diminished goodwill from the breach might even do more harm than remediation costs, especially if you don’t take swift action or notify breach victims right away. Once you’ve lost that trust, it won’t be easy to regain, or attract new clients, employees, or even investors.
What can you do?
You can’t always prevent a breach—but you can prepare for one. In an increasingly digital world, it is imperative for Mortgage Brokers and brokerages to take preventative action and work towards a long-term cyber risk management strategy that focuses on:
Add extra layers of protection to all networks and devices, like multi-factor authentication (MFA) and endpoint detection and response (EDR) software. Encrypt data-at-rest and in-transit and routinely backup your information. Keep systems updated with the latest security patches. Develop a tailored incident response plan in case of a breach.
Build a culture of cyber vigilance. Provide tailored security awareness training to all employees on: how to handle sensitive data, use software safely, and identify, avoid, and report potential harmful situations. Keep them aware of threats as they emerge and partner with a cybersecurity firm to offer high-quality training and simulations.
For maximum protection, consider Cyber Insurance. Your general liability insurance won’t cover a breach, but a dedicated cyber policy can help you protect your digital assets, offset your losses, and help you get your business back online. Plus, depending on your coverage, your policy may provide funds for your legal liability, a legal breach coach, PR consultants, IT network forensic specialists, client notification, and more!
How can we help you?
PROLINK can help you plan, protect, and become resilient to attack. With nearly 20 years of serving Mortgage Brokers, Mortgage Lenders, and Mortgage Administrators and a specialized knowledge of cyber markets, we understand the unique threats you face like no one else. Our dedicated team of risk advisors will:
- Identify exposures based on your business operations and unique needs;
- Share what steps others in your industry are taking and advise you accordingly;
- Conduct a Cyber Risk Assessment to determine your overall cyber readiness;
- Advise you on a risk management approach to control your costs long-term; and
- Align you with a comprehensive Cyber Insurance policy tailor-made for Mortgage Professionals, with clearly defined parameters of coverage.
To learn more, connect with PROLINK today.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.