The massive amount of data and money that passes through the mortgage finance industry makes it extremely susceptible to attacks from hackers.
And it’s not a matter of if it will happen; it’s already going on, and the threat of attack is only increasing.
Fitch Ratings published a report to stress the importance of a robust information technology (IT) security in loan servicers' operational risk frameworks, especially due to the recent global ransomware attacks.
Reports are saying the recent WannaCry ransomware attack was only the beginning. Through finding the WannaCry ransomware, researchers found a new attack linked to WannaCry called Adylkuzz.
The new attackware targets the same vulnerabilities that were exploited by the WannaCry ransomware, but unlike WannaCry, which froze computers and wreaked havoc worldwide on Friday, Adylkuzz is a cryptocurrency mining malware that takes over a machine and slows down computers and servers to use them to mine cryptocurrencies, like bitcoin and monero, according to Proofpoint and Yahoo News.
The Fitch report stated that since servicers rely on technology, the robustness of IT security, disaster recovery and business resumption plans are an important part of Fitch's servicer assessments.
For servicers rated by Fitch, it considers regular security threat testing to be best practice. “In those instances where a servicer's IT infrastructure is provided by third-party suppliers Fitch expects the servicer to demonstrate appropriate oversight, including verifying that the third party maintains adequate security.”
Fitch also stated that it monitors IT staffing and ongoing technology hardware and software enhancements.
“Our servicer operational reviews consider management's information technology strategies, the experience of the technology staff and timeliness of updates and enhancements,” the report stated. “Signs of a decreasing focus on maintaining a robust infrastructure could indicate increased continuity risk. Fitch also reviews the servicer's approach to data security to assess whether the policies and controls in place enable effective protection of borrower information.”
Following the latest ransomware attacks, Fitch contacted all rated loan servicers and confirmed their operations have not been affected.
Some servicers even took it a step further and indicated that they took additional security steps in response to the attacks.
Unfortunately, the steps are important since the finance industry is far from immune to attacks. Just last Tuesday, it was revealed that hackers had gained temporary access to a non-core system of DocuSign, which allowed them to steal possibly more than 100 million email addresses.
However, DocuSign confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.
The Office of Compliance Inspections and Examinations also published a national exam program risk alert due to the WannaCry ransomware attack.
The OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.
They discovered the following results:
Cyber-risk Assessment: Five percent of broker-dealers and 26% of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
Penetration Tests: Five percent of broker-dealers and 57% of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
System Maintenance: All broker-dealers and 96% of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
The OCIE added that it does recognize that it is not possible for firms to anticipate and prevent every cyber attack. However, it stated that appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.