A mortgage lender can have a locked-down network, a trained staff, and a robust incident response plan and still wake up to a data breach. The reason is simple: the borrower data those controls are designed to protect is not sitting in one place under one organization’s control. When you walk through a typical mortgage transaction and count the organizations that touch borrower data, the list is longer than most people realize.
You have the LOS on which the entire loan is created, stored, and managed. The credit and data verification vendors who pull the tri-merge credit reports, verify income and employment, and provide asset or tax transcript reports to fulfill underwriting requirements. The appraisal and valuation management companies. The title and settlement companies. The eClosing and eNotary vendors. The document managing and archiving platforms. Mortgage process outsourcing companies. Mortgage insurance vendors. Hazard and flood insurance vendors. Verification of insurance platforms. And more, depending on jurisdiction, income type, and lender.
Every one of those organizations has legitimate access to the borrower’s name, address, SSN, income, employment history, bank account information, and tax returns. Every one of them is a potential point of entry.
A smaller appraisal management company or document storage vendor probably does not have a security team or a compliance department the way a large lender or servicer does. They may feel they are not large or established enough to need one, they may not believe it is important enough to work into their budget, or they simply are not aware of the perils of being unprotected in the digital age.
The problem is that while they may be a small vendor, they are a link in the chain that takes virtually every letter of a borrower’s PII from origination to termination. If a threat actor can compromise an unprotected vendor, they can gain access to data they would not have been able to access from an organization with better security.
This is not a hypothetical scenario. During my time as a senior loan coordinator at Capital One Home Loans from 2014 to 2018, I witnessed firsthand the damage that Business Email Compromise attacks inflicted on borrowers at the closing table. Capital One’s systems were never the point of entry. The breach always came through someone else in the transaction chain (e.g., a title company, a settlement agent, a real estate agent), someone with access to the same closing information who was considerably easier to compromise. Capital One was the clearing bank, so we felt the consequences regardless. Watching a borrower’s dream home be stolen from them so close to the finish line, losing so much money to a cruel scam, was heartbreaking for everyone involved.
Historically, vendor vetting in the mortgage industry was largely a checkbox exercise. Thanks to a string of devastating supply-chain ransomware attacks and heavy regulatory enforcement from agencies like the CFPB, the industry has been forced to treat its vetting processes with greater scrutiny. The size of the lender is often indicative of the rigor of that vetting process. Although there is now at least a standardized blueprint across the industry, one can generally expect smaller lenders to have more relaxed vetting while larger lenders have a CISO and resources at their disposal for comprehensive practices.
If I were advising a mid-size lender on how to actually vet their vendors rather than simply checking a box, I would start with three things. First, a comprehensive third-party risk assessment that goes beyond a vendor questionnaire. This would include a review of financial statements, SOC 2 or ISO audit results, and the vendor’s regulatory compliance history.
Second, hands-on technical and operational due diligence: penetration testing results, data flow mapping to understand exactly where borrower data goes and how it is handled, and where possible an on-site visit or live demonstration of their security controls.
Third, and most importantly, an ongoing monitoring program rather than a one-time evaluation. Vendors change, staff turns over, systems get updated, and the security posture that passed muster at onboarding may look very different two years later. Automated alerts, annual reassessments, and enforceable exit strategies built into contracts from the beginning are what separate a real vendor risk management program from a filing cabinet full of signed questionnaires.
The takeaway here is that the security of your data is only as strong as the weakest link in the chain between origination and termination of a loan file. A lender can do everything right internally and still suffer a breach because of a vendor they trusted without fully verifying. If organizations wish to treat data security with the gravity and urgency it requires, they must perform their due diligence. The threat landscape does not stand still and neither do the vendors operating within it. Inasmuch as an organization can adequately control for the security of every third-party with whom they share access to sensitive data, they must do so, and this process must be active, continuous, and comprehensive. Anything less leaves the door open for the kind of breach that no internal security investment can prevent.