Cyberattacks are on the rise in recent weeks, as sanctions on Russia push its economy to the breaking point, and mortgage lenders may have unique vulnerabilities.
Cybersecurity experts said in interviews that in the past couple of weeks, cyberattacks targeting the financial sector, that are in part traced back to Russia, have been more elevated than usual.
Rick Hill, vice president of industry technology at the Mortgage Bankers Association, said that lending is a critical component of the nation’s infrastructure, which is one reason it is more susceptible to being attacked.
“We urge our members to remain extra vigilant for attempts to breach their systems through phishing and other attack methods,” said Hill.
The MBA warned in a post published in early March that third-party vendors and contractors used by lenders may be “potential avenues for these attacks.”
John-Thomas Gaietto, chief security officer at Digital Silence, said that the mortgage industry should be on guard, in light of a “massive uptick in [cyberattacks] over the last four to five weeks.”
Freddie Mac updates risk mitigation requirements for the industry due to elevated cybersecurity threats
As the mortgage world becomes more technologically interconnected, the risks to cybersecurity, data and infosecurity increase. These risks should be top-of-mind for mortgage professionals, as evidenced by recent changes at Freddie Mac that emphasize risk mitigation and cybersecurity efforts.
Gaietto said Russia-linked hackers often gain access to an organization’s network through phishing and embed themselves on a company’s server. He also said that warehouse lines of credit, which non-bank lenders rely on to fund loans, are particularly vulnerable to attack.
Hackers are “able to move money out of that warehouse line that may have been used for funding loans, and then monetizing that for their purposes,” he said.
Mitch Tanenbaum, partner at CyberCecurity, a cybersecurity consulting firm, said that the easiest way for unscrupulous actors to gain access to financial institutions, including mortgage lenders and servicers, is through phishing schemes.
“They’ll send out a million emails or they’ll scan a million IP addresses,” said Tanenbaum. “They’ll look for vulnerabilities. And guess what, they’ll likely find one.”
State financial regulators have also sounded the alarm on cyberattacks. The New York Department of Financial Services last month warned the state-chartered banks it oversees of the risk of cyber retaliation from Russia.
“The Russian invasion of Ukraine significantly elevates the cyber risk for the U.S. financial sector,” Adrienne Harris, superintendent at NYDFS, wrote in a February letter to banks. “Escalating tension between the U.S. and Russia also increases the risk that Russian threat actors will directly attack U.S. critical infrastructure in retaliation for sanctions or other steps taken by the U.S. government.”
The NYDFS warned that financial institutions should “review their programs to ensure full compliance, with particular attention to core cybersecurity hygiene measures like multi-factor authentication, privileged access management, vulnerability management and disabling or securing remote desktop protocol access.”
The Cybersecurity and Infrastructure Security Agency, also recently updated its website to highlight current cybersecurity threats. The federal agency said that in the wake of sanctions imposed by the United States and its allies on Russia, every organization must prepare to respond to disruptive cyber activity.
As interest rates rise and margins compress, the transition to a purchase market may also result in lowering defenses against cyberattacks.
Gaietto said that in such an environment, LOs may be more susceptible to cyberattacks because they will rush to close a loan quickly and be less mindful of the things that they are clicking.
In a lending environment “when there’s a high sense of urgency either on the loan officer side or on the consumer side, it’s very easy to dupe people with fake emails,” Gaietto said.
One challenge to assessing how widespread cyberattacks is the reluctance to disclose when an incident has occurred. Players in the mortgage industry rarely give details when they are targets of cyberattacks, in part because they don’t want to alert customers or give their competitors an opportunity to poach their clients.
However, in July 2021, Cloudstar, a major title industry cloud services provider, said it suffered a ransomware attack, which stopped an untold number of loans from closing.
At the time, the cloud services provider said that their systems were inaccessible and that there was no definitive restoration timeline. Cloudstar, in an October 2021 post, said that a forensic investigation and data recovery efforts by Tetra Defense, a company assisting in the recovery efforts, had concluded. The post did not explain who was responsible for the attack or how many customers it impacted.
Cloudstar did not return a request to comment.
Gaietto predicted that the threat of cyberattacks, for the mortgage industry in particular, is here to stay. For some companies, the cost of prevention may eventually become too much to bear.
“We’re continuing to see these threat actors change and adapt, and they’re always a step in front of us,” he said. “I do think that the volume of attacks is going to increase, the monetization and impact of those events is going to increase. We’re going to reach a potential tipping point where the cost of prevention is going to outweigh the valuation of some organizations based on their size.”