As the mortgage industry embraces digitization, it also faces new risks in terms of security and cyber attacks. Non-bank lender, Latitude, revealed that it fell prey to a ransomware attack in March 2023. Hundreds and thousands of passport numbers were stolen, and 8 million driver’s licenses were exposed. The customers of Freedom Mortgage faced a similar exposure with their social security numbers since the lender suffered a data breach in April 2023.
The examples in only these last few months are too many to recount. Mortgage providers and title insurance companies must pay special attention to their security practices when handling customer data and designing internal processes. Title insurance and escrow companies are particularly at risk since they handle large volumes of transactions, mostly digital, every day.
Why Title and Escrow Companies Need to Go Beyond Cybersecurity Insurance
These companies are at risk of cyber attacks for three reasons. First, title insurance companies regularly handle sensitive customer data. Non-public personal information (NPI) such as settlement statements, 1099 forms (which have income details), and social security numbers pass through title and escrow channels. Not only do these companies acquire this information, but they also retain the data over long periods of time, sometimes decades.
This means that without sufficient cybersecurity insurance and the correct security practices, there are plenty of opportunities for bad actors to get in and wreak havoc.
Second, escrow accounts are a prime target for cyber attacks as they contain large amounts of money, typically held by a third party. Since these are temporary repositories, it is often easier to break into these accounts before permanent security measures – like secure credentials and SSO – kick in. Without security beat practices, fraudsters can also impersonate escrow companies, complete with scam accounts and websites.
Finally, the increasing use of software applications in title insurance and escrow companies has added new threat vectors. From settlement and accounts to managing transactions, nearly every process is software-driven and a potential target for a data breach.
Some companies choose cybersecurity insurance to shore up their defenses against such attacks. Indeed, this does protect your company against losses and liabilities arising from any non-compliance. However, market reputation and customer trust are difficult to recover, especially at a time of rising mortgage rates.
That’s why it is essential to follow the best security practices as a preventive measure and not rely on cybersecurity insurance alone.
Read More: 5 Mortgage Cybersecurity Trends of 2023
4 Security Best Practices for Title and Escrow Companies
To lower the likelihood of cyber security attacks and mitigate the damage even if they occur, title insurance providers and escrow companies need to:
1. Employ multi-factor authentication
Simple, password-based authentication mechanisms are extremely vulnerable. For instance, a brute force attack can use automated tools to guess and try millions of passwords until it can finally break into your accounting software. Instead, multi-factor authentication (MFA) checks your identity on three levels – something you have, something you know, and something you are.
For example, you might have a mobile phone number that sends you a one-time password. You might know the answer to a unique security question, and as your identity, you might use facial recognition. Only when all three criteria are met, the user can gain access to the system.
For convenience, title and escrow companies can employ two-factor authentication in some cases.
2. Blacklist and whitelist network connections
Work-from-home (WFH) scenarios can allow title insurance and escrow employees to log in to their software from insecure networks. This could be public Wi-Fi, prone to digital eavesdropping.
Blacklisting and whitelisting allow you to specify IP addresses that can and cannot access your most sensitive software and databases. You can even configure specific blacklists/whitelists for different information assets, disallowing some resources to be accessed outside of the office at all.
3. Regularly audit your security controls
It is not enough to set and forget a security best practice and leave the rest to chance and/or cybersecurity insurance. The controls you set may change frequently, either due to the wishes of the user, changing business processes, or an action taken by an IT or security admin. Security controls may also change when you update your mortgage business software.
That’s why you need regular audits, ensuring that 2FA/MFA are activated, users are following strong password recommendations, inactive users are removed from the system, and so on. Large title and escrow companies can also hire an independent vendor to conduct these audits.
4. Invest in cybersecurity education
Human beings are often the weakest link in your security posture, and employees may sometimes be negligent in order to save a little time or be a little more productive. Also, borrowers need to be up-to-date on the latest security risks and be aware of any escrow scams that may come their way. Companies can address these gaps by investing in user education. This includes workshops for employees and readily available online resources for public use.
Have You Undertaken a Cybersecurity Assessment Yet?
Title insurance and escrow companies may be vulnerable to cyber attacks without even knowing it. Since there is cybersecurity insurance to fall back on, companies may not investigate deep enough into their security posture and let small things slide – such as access privileges that do not expire or no mandatory strong passwords. A cybersecurity assessment will reveal any such existing risks and will also evaluate if your processes expose you to vulnerabilities in the future.
At Nexval, we work with the country’s top mortgage businesses to strengthen their digital foundations. Speak with our experts to learn how you can maximize business volumes without compromising on security.