Information Security for Mortgage Bankers - CMLA€¢ President of Indiana Mortgage Bankers 2010-11 ... • Stored payment info in text format ... and confidential information increased

Diehl & Associates © 2016

Information Security for Mortgage

Bankers


Scott Weghorst

• President of Diehl and Associates • Past President of Pinnacle Mortgage Funding, a Top 25 IBJ

Mortgage Lender • Mortgage Banking Experience including Conventional, FHA, VA,

State Housing programs • President of Indiana Mortgage Bankers 2010-11 • Presented at various groups including Chicago Federal Reserve,

IAMP, IL. Mortgage Bankers, Ohio Mortgage Bankers, FHA, Southwest FL Mortgage Bankers on topics ranging from RESPA reform, LO Compensation, FHA Programs, VA Programs

• BS Indiana University Government Finance and Management • MBA University of Notre Dame Cum Laude • Members AARMR, MBA • Married to Renae with 2 Boys 13, 14 • YEO, Lacy Leadership Association, Holy Spirit Geist Feed the

Homeless


Diehl & Associates www.diehl1.com

Began conducting FHA Training Seminars in 1983 50,000 Underwriters, Loan Officers and Processors have been trained


Recent Headlines 3/15: Bangladesh’s funds diverted, $100M. $1B attempted. Malicious code to enter the bank system, allowed them to look and lurk for days until they found the Swift terminal. Then deployed software to track keystrokes to steal operating codes and process and authorize Swift transactions. WSJ 3/23/16 2/29: Blackout in Ukraine- power outage, 250,000 people affected, 3 regional companies- Malware (“black energy”, “killdisk”) 2/12: Teen hackers who targeted US Officials arrested 1/28: Head of NSA’s Elite Hacking Unit: How We Hack. Talks about Tailored Access Operations and how to make a hackers life hard

http://abcnews.go.com/topics/news/cyber-attack.htm





Info Breach Incidents: 2004-2007






Info Breach Incidents: latest









Underground Prices for Personal Information






Value of Info Types

“Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x in price on the black market,” says Martin Walter, senior director at RedSeal. Source: http://www.networkworld.com/article/2880366/security0/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html

http://www.networkworld.com/article/2880366/security0/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html


































Mortgage Banker’s Perspective

What do we need to know as mortgage bankers? What are the penalties?

• Time • Money • Reputation

What can we learn from enforcements actions? What are states doing?


Mortgage Banker’s Perspective

Risk of Enforcement Actions • UDAAP ($5k/$25k/$1M a day) • Referred to State Attorney General

Reputational Risks Private actions / Class Actions

• No longer required to prove damages from privacy violation FTC vs. Wyndham

• Hackers accessed customer data Overall awareness

• FTC Enforcements Mortgage Related

• 47 States (Plus DC, Guam, Puerto Rico and V.I.) require breach • Washington State Posts Information Security on their website • Mortgage rules and state exams

https://www.ftc.gov/news-events/blogs/business-blog/2015/08/third-circuit-rules-ftc-v-wyndham-case


Rules in Play

Privacy and Security • Gramm-Leach Bliley • States Rules • Fair Credit Reporting Act • Identity Theft Red Flags Rule

Cyber Security • SEC Cyber Security Guidance • NY State DFS

General • FFIEC Guidelines • FTC Regulations • FDIC PR- 28-2014

Vendor Management • OCC Bulletin 2013-29 • CFPB Bulletin 2012-03 • Federal Reserve – Guidance on

Managing Outsourcing Risk (SR 13-19/CA Letter 13-21)


Wyndham- $10.6 M

• Stored payment info in text format • Easily guessed passwords • Didn’t use readily available security measures (ex: firewalls) • Hotel systems connect without proper precautions

o Outdated OS, no security updates in 3 years o Default user ID enabled

• Didn’t restrict vendor access • Didn’t employ “reasonable measures to detect and prevent

unauthorized access” or “conduct security investigations” • Didn’t follow “proper incident response procedures” • UDAAP because privacy policy states how information is protected


Premiere Capital Lending

• Allowed a home seller to use its account for accessing credit reports in order to refer purchasers for financing without taking reasonable steps to verify the seller’s procedures to handle, store, or dispose of sensitive personal information

• Failed to assess the risks of allowing a third party to access credit reports through its account

• Failed to conduct reasonable reviews of credit report requests made on its account by using readily available information (such as management reports and invoices) to detect signs of unauthorized activity, and

• Failed to assess the full scope of credit report information stored and accessible through its account and thus compromised by the hacker


Premiere Capital Lending

According to the FTC, a hacker exploited Premier’s failures by breaching the seller’s computer, obtaining Premier’s user name and password, and using these credentials to obtain at least 400 credit reports through Premier’s account. The FTC complaint also alleges that Premier violated Section 5 of the FTC Act and the Privacy Rule by failing to live up to its own privacy policy, which claimed: “We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. Our control policies, for example, authorize access to customer information only by individuals who need access to do their work.”


Superior Mortgage

• 40 branches in 10 states • Failed to assess risks to customer information • Failed to implement password policies • Did not encrypt information before sending via email • Failed to ensure service providers were providing appropriate security for

customer info and addressing known risks • Failed to encrypt info before emailing it to headquarters • Iorder: • Establish Policies and Procedures • Hire third party auditor • Review Policies and Procedures every 2 years and report for 10 years

https://www.ftc.gov/enforcement/cases-proceedings/052-3136/superior-mortgage-corp-matter















Dwolla • First CFPB Action • Online payment provider • Enforcement very pertinent to Mortgage Lenders UDAAP • Communication with consumers: “safe” and “secure”, “surpass” or “exceed”

industry standards and that “information is securely encrypted and stored” • Lack of a sufficient plan in writing • No risk assessments • No employee training: in a phishing test, 50% opened, 62% clicked on the link and

25% attempted to register with a username/password Corrective actions • Stop misrepresenting • Train employees and fix flaws • Pay $100,000 penalty

Source: CFPB Consent Agreement http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf

http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf

http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf


What are States doing?

• State Spotlight: North Dakota - Information Security is Top Priority • Michigan’s Top 10 list of missed items by mortgage lenders during exams:

#1 Information Security Program, #2 Identity Theft Prevention Program • Washington State has Information Security Questionnaire

o Designated person, business continuity plan, data plan, personnel, physical, technical security

o Six scenarios- Explain how you defend against and respond to • 49 states have breach / notification requirements • Is this a high profile topic?

http://www.bankinfosecurity.com/interviews/state-spotlight-north-dakota-information-security-top-priority-i-295/op-1


Tools and Resources

• FFIEC Cybersecurity Exam Tool • NIST Framework https://www.ffiec.gov/pdf/cybersecurity/Cybersecurity%20Assessment%20Tool%20Slides_June_30_2015.pdf

https://www.ffiec.gov/pdf/cybersecurity/Cybersecurity%20Assessment%20Tool%20Slides_June_30_2015.pdf





Evaluate Risk

• What is your level of Board/Board Equivalent Involvement? o Processes in place o Roles of reviewers or review committees

• Evaluate the Risk Assessment Process o Formal risk assessment in place and documented

• Evaluate the Adequacy of the Program to Manage and Control Risk o Once risk is identified how is it handled - accept, reduce, assign

• Assess the Measures to Taken to Oversee Service Providers o How do you evaluate and monitor 3rd party risk

• Determine whether and Effective Program Exists to Adjust the Program o Changing environment, business changes


Use the Inherent Risk Profile as a Checklist

Total ISP Connections Unsecured external connections Wireless network access Personal devices allowed to connect to network 3rd Party Vendors List Wholesale customers with dedicated connections Internally hosted / developed or modified vendor applications Internally hosted / vendor-developed applications User developed tech and computing (excel spreadsheets) End of life systems Network devices (servers, firewalls) 3rd Party Providers Storing Data Cloud services

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_Inherent_Risk_Profile_June_2015_PDF2_b.pdf




Use the Inherent Risk Profile as a Checklist

Customer channels Online presence Mobile presence Person-to-person payments Originating ACH payments Originating wholesale payments Mergers and acquisitions Changes in IT and info sec staff Privileged access (admins) Changes in IT environment Locations Attempted attacks


Look at Cybersecurity Maturity

• Governance • Risk Management • Resources • Training and Culture • Threat Intelligence • Monitoring and Analyzing • Information Sharing


Maturity Levels


Assess and Conquer

High Risk / Low Maturity High Risk / High Maturity

Low Risk / Low Maturity Low Risk / High Maturity


NIST-Cybersecurity Framework

• Framework core- identify, protect, respond, recover • Framework implementation tiers- partial, risk informed, repeatable,

adaptive • Framework profile (alignment)- executive level- business/process-

implementation/operation

http://www.nist.gov/cyberframework/index.cfm

http://www.nist.gov/cyberframework/index.cfm


A Look at the Framework Core…


NIST- Establishing or Improving Your Plan

1. Prioritize and scope 2. Orient 3. Conduct current profile 4. Conduct risk assessment 5. Create a target profile 6. Determine, analyze, prioritize gaps 7. Implement action plan


NIST- Assess the Framework

1. Governance 2. Approaches to identifying and authorizing access 3. Awareness and Training Measures 4. Detection and Monitoring 5. Response activities, info sharing, mitigation


Cybersecurity Risk

• No quick fix • A matter of time • No target is hack proof • Preparedness- respond and recover • Activate the plan


Data Breach Response Guide

Step 1 Communicating to the C-Suite

Step 2 Creating Your Plan

Step 3 Practicing Your Plan


Communicating to the C-Suite

77% – Suggested more fire drills to practice data breach response would help them be more prepared 40 Billion – U.S. company losses from unauthorized use of computers by employees last year $217 – The average cost for each compromised record containing sensitive and confidential information increased with the total average cost rising to $6.5 million $184 - $330 Million – Average loss in brand value, depending on the information lost as a result of the breach 1 Year – Average time to restore an organization’s reputation after records containing confidential customer information are lost or stolen**

file:///C:/Users/Diehl1/Documents/Yingyang/2015-2016-data-breach-response-guide.pdf


Creating Your Plan

Start with a bullet –proof breach response team

Engage your external partners

Consider cyber insurance

Selecting legal partners

Incorporating PR and communications

Handling global breaches


Creating Your Plan

Your internal breach response team should include the following:

Start with a bullet –proof breach response team

• Incident lead • Public relations • Executive leaders • Customer care

• HR • IT • Legal


Creating Your Plan


Types of external partners • Data breach resolution providers • Forensics • Communications • Legal counsel


Creating Your Plan


What to look for in a partner: • Understanding of security and privacy • Strategic insights • Ability to scale • Relationship with regulators • Global considerations


Creating Your Plan

Consider cyber insurance

Benefits: • Companies with insurance often have a stronger security posture. • A breach event is often smoother operationally with a pre-breach plan

already in place. • When a plan is in place and successfully executed, the average cost of the

response can be up to 25 percent lower.


Creating Your Plan

Selecting legal partners

Considerations: • Past experience with breach litigation and established relationship with

local regulators • Ability to provide insights about the latest development in case law • Ability to serve as an overall breach coach


Creating Your Plan

Incorporating PR and communications

Key elements: • Enlist a representative • Map out your process • Prepare templated materials • Cover all audiences • Test your communications process


Creating Your Plan

Handling global breaches

Prepare for organizations with an international footprint: • Develop a roster of attorneys in your countries who are familiar with

existing local breach notification laws • Consider the need to engage a local public relations consultant should a

breach occur • Assess if you need local call centers who are familiar with local sentiment

regarding privacy issues • Ensure your notification partner can handle multi-language letters


Practicing Your Plan

Conduct response exercises at least twice per year

Implement a simulation exercise

Develop a training module



Conduct response exercises at least twice per year

Activities should include: • Working with employees to integrate smart data security efforts into

their daily work habits • Developing data security and mobile device policies that are updated

regularly and communicated to all business associates • Investing in the proper cyber security software, encryption devices and

firewall protection • Updating these security measures regularly • Limiting the type of both hard and electronic data someone can access

based on their job requirements • Establishing a method of reporting for employees who notice that others

aren’t following the proper security measures • Conducting employee security training/retraining at least once a year



Implementing a simulation exercise

Where to start: • Enlist an outside facilitator • Schedule a healthy amount of times • Include everyone • Test multiple scenarios • Debrief after the exercise • Conduct drills every 6 months



Developing a training module

Use scenarios pertinent to your industry and the type of data your company stores to hone response skills of your employees. • What scenarios can you create that’s pertinent to your company? • What questions can you ask to help hone the response skills?


Practical Top Tips

• Passwords • System updates • Thumb drives • New installs • Social Engineering / Pretexting • USB • Mobile devices • Phishing emails- There are no Nigerian princes • Privacy policy • Secure docs when traveling • Encryption


Risky Behaviors

• Mortgage Loan Examples: o Loan originators speaking loudly or using speaker phones to gather

personal non-public ID information o Leaving loan files open or on desks for clean crews to see o Leaving laptops and or files accessible in cars o Not password protecting loan file information o Using PDAs or cell phones to gather file information and not securing

either


Risky Behaviors

• Leaving copies of information unattended o Fax confirmations o Copies of ID o Extra copies of documents o Copies left on copy machines o Loose papers on desk

• Keeping “ghost files” • Transferring information outside of corporate networks (i.e.. Using Gmail

or Yahoo! instead of corporate mail programs)


Common ID Theft Methods

Skilled identity thieves may use a variety of methods to get hold of your information, including: • Dumpster Diving- i.e. company directories • Skimming, i.e. swiping • Phishing- “Powel inks”- contacts outside servers for more information

and doesn’t store files on the host PC. Ad clicking revenue. Email to call your card company.

• Pretexting • Old-Fashioned Stealing • Changing your Address


Common ID Theft Methods

You, as an MLO, are a target in many ways exhibited in the above examples because:

• Social Engineering and pretexting is a powerful tactic • Mortgage Originators hold a wealth of information • Many proven ways to exploit that behavior


Ways to Spot a Scam

• Bad grammar • Demanding language • Vague (Dear Bank Customer) • Links are not legitimate (hover over) • Emails are asking for personal information


Things to Remember

• NOBODY will send you an email asking you to change passwords, verify personal information, etc.

• Never contact via a link. If your bank needs something, go to them directly.

• Don’t install executable • There are no Princes in Africa trying to sneak money out of the country. • Nobody needs you to act as an escrow agent for a split of millions.

https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business http://www.utica.edu/academic/institutes/cimip/idcrimes/schemes.cfm

https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business






















http://www.utica.edu/academic/institutes/cimip/idcrimes/schemes.cfm




Resources

Additional SBA Tips https://www.sba.gov/content/additional-cybersecurity-resources Cyber Security: SBA October is Cyber Security Awareness Month https://www.sba.gov/navigation-structure/cybersecurity Data Breach Response Guide file:///C:/Users/Diehl1/Documents/Yingyang/2015-2016-data-breach-response-guide.pdf FCC’s Cybersecurity Tips for Small Businesses http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db1018/DOC-306595A1.pdf FDIC Guidance https://www.fdic.gov/regulations/laws/rules/2000-8660.html

https://www.sba.gov/content/additional-cybersecurity-resources

https://www.sba.gov/navigation-structure/cybersecurity

http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db1018/DOC-306595A1.pdf




https://www.fdic.gov/regulations/laws/rules/2000-8660.html





Resources

FFIEC Guidance and Cyber Security Assessment Tool https://www.ffiec.gov/cyberassessmenttool.htm Financial Services Information Sharing and Analysis Center https://www.fsisac.com FTC https://www.ftc.gov/tips-advice/business-center/privacy-and-security FTC- “Privacy and Data Security Update 2014 (with update 1/2015)” https://www.ftc.gov/reports/privacy-data-security-update-2014 FTC "Protecting Personal Information, A Guide for Business"https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business

https://www.ffiec.gov/cyberassessmenttool.htm

https://www.fsisac.com

https://www.ftc.gov/tips-advice/business-center/privacy-and-security

https://www.ftc.gov/reports/privacy-data-security-update-2014









https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business















Resources

FTC Small Entity Compliance Guide Model Privacy Form: https://www.ftc.gov/sites/default/files/documents/rules/privacy-consumer-financial-information-financial-privacy-rule/model_form_rule_a_small_entity_compliance_guide.pdf NIST: Small Business Information Security http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf Small Business Tip Card http://www.dhs.gov/sites/default/files/publications/Small-Business-Tip-Card_04.07.pdf Washington State DFI Information Security Resources for Mortgage Exams http://www.dfi.wa.gov/mortgage-brokers/examinations

https://www.ftc.gov/sites/default/files/documents/rules/privacy-consumer-financial-information-financial-privacy-rule/model_form_rule_a_small_entity_compliance_guide.pdf



http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf

http://www.dhs.gov/sites/default/files/publications/Small-Business-Tip-Card_04.07.pdf

http://www.dhs.gov/sites/default/files/publications/Small-Business-Tip-Card_04.07.pdf

http://www.dfi.wa.gov/mortgage-brokers/examinations




Cyber Security Tips from SBA

Cyber Security: SBA October is Cyber Security Awareness Month https://www.sba.gov/navigation-structure/cybersecurity Cyber Attack Reporting Requirements: 1. Inform local law enforcement or the state attorney general as

appropriate. 2. Report stolen finances or identities and other cybercrimes to the

Internet Crime Complaint Center. 3. Report fraud to the Federal Trade Commission. 4. Report computer or network vulnerabilities to US-CERT via the

hotline: 1-888-282-0870 or the US-CERT website.

https://www.sba.gov/navigation-structure/cybersecurity

http://www.ic3.gov/default.aspx



http://www.ic3.gov/

http://www.onguardonline.gov/file-complaint



https://www.us-cert.gov




Top Ten Cyber Security Tips 1. Protect against viruses, spyware, and other malicious codeMake sure

each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.

2. Secure your networksSafeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

3. Establish security practices and policies to protect sensitive informationEstablish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cyber security policies.


Top Ten Cyber Security Tips

4. Educate employees about cyber threats and hold them accountable Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s Internet security policies and procedures.

5. Require employees to use strong passwords and to change them often Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.


Top Ten Cyber Security Tips 6. Employ best practices on payment cards Work with your banks or card

processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet. Are you ready for the shift from magnetic-strip payment cards to safer, more secure chip card technology, also known as “EMV”? October 1st is the deadline set by major U.S. credit card issuers to be in compliance. Visit SBA.gov/EMV for more information and resources.

7. Make backup copies of important business data and informationRegularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

https://www.sba.gov/content/migration-emv-chip-card-technology-and-your-small-business

https://www.sba.gov/content/migration-emv-chip-card-technology-and-your-small-business



8. Make backup copies of important business data and informationRegularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

9. Control physical access to computers and network componentsPrevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.



10. Create a mobile device action planMobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

Protect all pages on your public-facing websites, not just the checkout and sign-up pages


10 Deadly Sins of Information Security Management Basie von Solmsa,), Rossouw von Solmsb

1. Not realizing that it’s a C-Level priority 2. Thinking it’s a technical issue and not a business issue 3. Not realizing all its dimensions- there’s off one dim off the shelf solution 4. Not getting that the plan should based identified risks 5. Not leveraging int’l best practices 6. Not realizing that a corporate policy (based specifically on exactly how

the business operates) is essential 7. Not realizing that compliance and monitoring is absolutely essential 8. Not realizing governance is essential 9. Not realizing the core importance of information security awareness

amongst users 10. Not empowering information security managers with the infrastructure,

tools and sup- porting mechanisms to properly perform their responsibilities


Thank You !