Your organization can spend an unlimited amount of money on cybersecurity software, professionals, and training. You can send out emails every day for weeks exhorting the staff to practice good data hygiene, to report suspicious emails, to exercise caution when dealing with sensitive and personally identifiable information. The walls of your office building could be filled from floor to ceiling with security awareness materials and dazzling visual aids to keep staff perpetually vigilant to the risks of threat actors.
If you’ve taken all of these steps, and perhaps even more, then you are on the right track to protecting the CIA (Confidentiality, Integrity, and Availability) of your organization’s data. The problem, however, is that by the time a loan file reaches its final destination, it has already passed through the hands of a loan officer, a processor, an underwriter, a closer, a QC reviewer, a title agent, and potentially a third-party originator, an appraisal firm, and a secondary market investor. Each one of these hand-offs is a potential weak link in the chain and no firewall currently available covers all of them.
A typical loan file can run into the thousands of pages and contain hundreds of individual data points on a borrower. The SSN alone is enough to open new credit accounts, file fraudulent tax returns, and assume the borrower’s identity entirely. A compromised loan file puts the threat actor in possession of full tax returns, including 1040s and all schedules, bank account numbers, detailed employment information and history, copies of government-issued ID, and wire instructions with exact account and routing numbers. Consider the risk exposure to be doubled if there is a co-borrower on the loan.
If the loan is Non-QM or DSCR/business purpose, the threat actor now has access to 12-24 months of full bank statements or business entity documents, operating agreements, and business financials, respectively, on top of everything else. What’s worse is that, unlike a credit card breach in which the card can simply be canceled and a new one issued, most of the data compromised in an LOS breach is permanent and cannot be reset.
Before the average loan file has completed its life cycle it is touched by ten to fifteen different organizations, each one with its own access controls, security policies, and off-boarding procedures (or lack thereof). A third-party originator or broker handles a loan file outside the lender’s security perimeter before it ever even reaches the lender. Then, of course, you have appraisal management companies, title firms, and settlement agents, all of whom require file access but are rarely subject to the lender’s security requirements.
Once the loan is sold on the secondary market the file moves to an entirely new organization (investor, aggregator, or servicer) with its own system. Due diligence firms reviewing loan pools employ contract analysts, sometimes remotely, sometimes even offshore, and role-based access controls are inconsistently applied. These contract and remote workers often access the LOS platforms from personal devices on home networks with no endpoint monitoring. It is not uncommon for users in these roles to have access far beyond what their job actually requires. Off-boarding does not end the potential for data compromise, either, as former employees and contractors often retain LOS access even after separation.
While most LOS platforms have audit logging capability, most organizations never actually review the logs and it is common in high-volume shops for multiple people to share one set of credentials, rendering audit logs useless even if they were reviewed. As third-party software (e.g., credit vendors, appraisal platforms, title software) is integrated into an LOS platform, additional data access pathways are created which are rarely inventoried or audited.
While we have only here discussed a small selection of pain points and vulnerabilities, the overarching point to be taken away is that the more organizations become involved in the life of a loan file, the more off-boarding failures, credential leaks, and unmonitored access points accumulate across the life of that loan file.
The vulnerabilities described above are not simply theoretical issues, they have very real and often enduring consequences. A threat actor who has gained access to a loan file already has everything needed to turn a profit by scraping the file for personally identifiable information (PII) or simply selling the entire loan file on dark web markets.
A full loan file or a complete financial profile can command significant value on such markets, but with just the borrower’s SSN, a copy of their government-issued ID, and some of the detailed employment information found within a loan file, a threat actor can successfully impersonate the borrower convincingly enough to open new lines of credit, file fraudulent tax returns, or submit loan applications in their name.
Full bank account numbers pulled from asset documentation in the loan file enable the threat actor to take over the borrower’s account directly. Perhaps the most insidious threat to information security for an organization is that of the malicious and/or disgruntled insider. Without raising a single red flag or tripping any alarms, an insider threat can take possession of a veritable fortune’s worth of sensitive data.
What will really keep you awake at night is that a borrower whose file was compromised during a transaction may not discover the consequences for months or even years after closing. As previously mentioned, the truly valuable data in a loan file cannot just be canceled like a stolen credit card. A borrower cannot just have a new SSN issued or choose a new birth date or invent a new employment history when that information is compromised. Instead, a threat actor may sit on this information for a long period before ever capitalizing on it.
The good news is that most of the vulnerabilities discussed here can be addressed without a complete overhaul of existing systems. The single most impactful control an organization can implement is the principle of least privilege, which means users should only have access to what their specific role actually requires and nothing more.
Paired with least privilege, consistent offboarding procedures are essential to information security. When an individual separates from an organization, completes an assignment, or is otherwise removed from a project, access credentials should be revoked immediately to prevent unnecessary exposure of the file and its data.
While many organizations seem to be allergic to reviewing audit logs, allowing them to collect digital dust until after a security incident has taken place, these highly valuable security tools should be reviewed regularly and proactively. Organizations should require that all LOS access occur on company-managed devices with endpoint monitoring, eliminating the personal device and home network problems entirely.
Vendor and third-party relationships should be subject to formal security qualification with every organization that touches a loan file being required to demonstrate that their access controls meet a defined standard. Finally, multi-factor authentication should be non-negotiable for any system containing borrower data.
None of these controls require exotic technology or an unlimited budget.