David Officer, VP at SAP Fioneer and Rob Lux, CEO of Ranieri Solutions, review the challenges servicers face and how they can be addressed with Cloud for Mortgage.
David Officer — In our last article, we discussed Compliance, the second of the “Five C’s” that challenge mortgage servicers. The Five C’s that challenge mortgage servicers are the critical and sometimes competing priorities of:
- Anticipating customer needs and providing a digital experience that enables self-service
- Ensuring compliance with evolving federal, state, and local laws and agency regulations
- Defending against new and emerging risks in cybersecurity
- Customizing services to their clients’ unique needs and preferences
- Controlling costs while addressing all of the above
This article will focus on the third C: Cybersecurity. Trust is at the heart of any relationship between a homeowner and their mortgage servicer. SAP Fioneer recognizes the need to protect client data, and its mortgage servicing partners. SAP has over 40 years’ experience serving many of the largest global banks and insurers, who are constantly under threat of bad actors and cybersecurity threats. As such, C4M’s modern technology platform benefits from a secure application environment. It also benefits from ongoing updates and enhancements to close and mitigate cybersecurity risks.
The third challenge: Cybersecurity and defending against the constant threat of bad actors disrupting your operation and damaging your reputation
Rob Lux — In our last article, we covered compliance challenges. The next challenge that we will cover has emerged as a huge threat to the mortgage industry. It is the third C: Cybersecurity and protecting your business from bad actors.
Over the past year, Cybercriminals have launched successful attacks against many well-known mortgage firms. They disrupted consumers and, in some instances, stolen their information. The list of mortgage firms impacted by a Cyberattack is a who’s who of our industry. The cost of recovering from these attacks (which sometimes includes paying the attacker’s ransom demand), the reputational damage, the impact on consumers, fines, and the resulting class action lawsuits all add to the overall cost to service.
According to IBM Security’s “Cost of a Data Breach Report,” the average cost of a data breach in the financial industry was $4.88 million in 2024. But that’s just the average – in our industry those figures can be much higher. For example, Mr. Cooper had 14.7 million of their customers’ records stolen and is fighting with their insurance firm stating the cost of that single attack was $30 million. Similarly, LoanDepot took a $27 million charge this summer in connection with an attack. The cost of cyberattacks is not cheap.
These criminals have been able to brazenly attack businesses, hospitals, and cities with little to no risk. This is reminiscent of the Depression era gangsters who robbed banks and hurt customers with little fear of reprisal. That is, until our government decided to take action in the form of the FBI. As recounted on the FBI’s history website, “By the end of 1934, most of these public enemies had been killed or captured.”
Government Regulations?
Unfortunately, today our federal government has failed to take similar steps to restore law and order by eliminating the bad actors perpetrating these attacks on our homeland. This despite spending over $23 Billion of taxpayer money annually on Cybersecurity ($10 Billion for Civilian and $13.5 Billon for military).
Instead, businesses are expected to protect themselves against sophisticated nation-state led attacks with little to no help from our government. Rather the government creates legislation and regulations adding more burdensome requirements to businesses. And the bad actors continue to roam freely and create harm to those businesses and their customers. The very first sentence of our U.S. Constitution states that the government exists to “provide for the common defence.”
In my opinion, it is time our government recognizes we are at war and takes the necessary actions to fight back and protect us.
Until things change, what can you do to protect your business from cyberattacks?
The suggestions below are in no way comprehensive but should help you be better protected from attack. And note I use the term “better protected”. It’s impossible to fully protect your firm from a determined and capable attacker with the resources to breach your defenses. The best a business can do is slow them down and hope they move on to a less protected target.
Modernize your Environment
An initial step to better protect yourself is to modernize your environment. Legacy systems and aged infrastructure are easy targets for attackers. This means upgrading your hardware, software, and ensuring the required patches are applied. If you are running your infrastructure in a modern Cloud environment, you have a plethora of security tools and features to choose from. Cloud providers invest significant resources in cybersecurity defenses and keep their infrastructure updated and patched. If you don’t have the resources to do all this yourself, you may want to investigate utilizing a SaaS provider who can provide the services and manage the technology applications and Infrastructure on your behalf.
You should also review your environment for weaknesses.
- Do you have a concentration risk where you are using only one provider for a critical service?
- What happens if that provider is attacked and can’t provide that service? For example, Finastra was attacked in 2020 and had to take many systems offline. This disrupted borrowers’ ability to make payments.
- Would you be able to manually process payments until that vendor comes back online?
- If not, do you have a backup vendor available?
In terms of concentration risk, one system – ICE/Black Knight’s MSP – services over 65% of US mortgages. Built over a half century ago, this technology is hosted in only two data centers separated by only 600 miles. This should be a major concern for everyone in the mortgage industry. If a significant issue occurs with that system, it would cripple the US mortgage industry.
Data Safety
Data is a strategic asset that attackers covet. They either steal valuable data and sell it, or they encrypt critical data and hold it ransom. It is imperative that you consolidate and protect your most critical data as you do with your personal valuables.
As the IBM report highlights, 40% of breaches involved data stored across multiple environments. In an MBA Newslink article, Nexval’s Souren Sarkar stated “Many mortgage companies use multiple systems for their operations, yet these systems are often not properly integrated, which means they have multiple access points. Having poorly integrated systems not only reduces efficiency, but it’s also like having a house with many doors leading outside—it gives the “bad guys” too many options. A better strategy is to integrate your mortgage technology into one cohesive platform and reduce the number of entry points, thereby lowering the likelihood of cyberattacks.” Verizon’s 2024 Data Breach Investigations Report supports his point by stating that “…the old core tech might have some natural immunity from some cyber-attacks, however, the proliferation of many surrounding systems that make up the shortcomings of the core systems increases the vulnerabilities.”
Unfortunately, all the legacy servicing technology forces servicers to support multiple systems, duplicating data and shipping it around the enterprise for processing. This makes it much easier for attackers to exploit. Having a modern servicing system that consolidates your critical data into a secure cloud-based environment is the answer.
People & Preparation
So far we have focused on systems and data. But probably the biggest factor in your firm’s cybersecurity is your people. By training your people to spot threats and anomalies, you can better protect your business. Training should occur regularly and so should testing to see whether they respond to malicious emails or requests. This should extend to everyone who has access to your systems including vendors and contractors. People should only be given access to what they absolutely need to do their job. Everyone prefers the ability to have easy access to every system. But granting this access may also provide access for bad actors.
Unfortunately, the question is not IF you will be attacked, but WHEN you will be attacked. To respond and hopefully repel these attacks, practice makes perfect. You should not wait for the attack. Instead, you should simulate attack scenarios now via tabletop exercises and develop incident response drills for dealing with attacks. You don’t want to determine how to communicate an attack to stakeholders or how to deal with the attack for the first time during an actual attack. For example, if you are hit by a ransomware attack…
- Will you take your systems offline to prevent further propagation of the attack, even though that will negatively impact your customers?
- Are you confident that your backups are sufficient to restore these systems to proper working order and do you know how long that will take?
- Have you retained an Security Response firm to help you deal with the attackers?
- Do you pay the ransom demanded by the attacker and hope they keep their promise?
- And will paying open you up to even more attacks now that there is precedence that you are willing to pay criminals?
- Finally, do you purchase Cyber Insurance and, if so, how much and are you compliant with the insurer’s requirements?
Last Word
Cybersecurity is a huge problem for the mortgage industry and our nation. Until our government takes more responsibility, it is up to business leaders to protect themselves from highly sophisticated and well-funded attackers. Hopefully some of the suggestions in this article will help with that fight. Good luck.
SAP Fioneer and Ranieri Solutions collaborate to service the modern mortgage market
David Officer — SAP Fioneer launched in 2021 out of SAP to drive innovation in financial services. With decades of experience serving the largest global banks in the world, SAP (and now SAP Fioneer) has seen significant change in technologies, platforms and markets. One market that we’ve observed as ripe for innovation is the US mortgage business. The segment is a significant and important part of the US economy, heavily regulated, but with just a few dominant service providers that rely on legacy technologies.
To effectively address this market, we sought local expertise from our partner Ranieri Solutions to help build out the servicing solution of our C4M (Cloud for Mortgage) platform. Combining the capabilities of SAP’s proven platform, SAP Fioneer’s extensive financial services industry expertise, and Ranieri Solutions’ mortgage servicing experience, we are rapidly bringing to market a modern, scalable and reliable platform for a new industry.
Learn more about
Cloud for Mortgage
Now more than ever, customers are at the core of any good system design. As Rob described above, a new platform (with new capabilities) enables a new approach to customer engagement that has the potential to change servicer, customer, and regulator relationships. The C4M platform is built to provide ease of use – a great user experience without sacrificing the requirement for compliance, controls, and risk management.
If you’d like to learn more about C4M, please don’t hesitate to reach out to [email protected] to discuss your business challenges, organize a demo, or schedule a call.
About the authors
Rob Lux, CEO of Ranieri Solutions
Rob Lux is the CEO of Ranieri Solutions. He was previously COO for six years at Cenlar, the largest mortgage subservicer in the country, and CIO at Freddie Mac for seven years, where he built an award-winning technology team. He holds an MS in Technology Management from the University of Pennsylvania and a BS in Engineering from Drexel University.
David Officer, VP of North American Sales at SAP Fioneer
David Officer is the Head of Sales for SAP Fioneer’s North American division, where he oversees SaaS and software sales and overall customer success. Before SAP Fioneer, he was a client service lead at Ernst & Young and the Global Account Director of Financial Services at SAP. He completed his MBA at the University of Albany, SUNY.