Mortgage Firms Fined on Cybersecurity Fails

State banking regulators have fined three home mortgage businesses and their corporate parent $20 million for a data breach in 2021 that uncovered a raft of poor cybersecurity practices at the firms. The offending companies will now need to implement an extensive remediation plan, and as usual, the rest of us have numerous lessons to learn from the incident.

The Conference of State Bank Supervisors, which helps to coordinate large-scale investigations and enforcement actions among the dozens of state banking regulators across the United States, announced the enforcement action on Wednesday. First in line was Bayview Asset Management, an investment management firm that operates in the mortgage industry; followed by three nonbank mortgage subsidiaries that Bayview either owns or controls: Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings

So what happened? As described in the settlement order, trouble began on Oct. 11, 2021, when an employee at one of the firms (the order doesn’t say which) accidentally downloaded some malware onto the Bayview IT system during an internet search. That malware then ran for six weeks from late October through early December, and the attackers absconded with the personal data of some 5.8 million customers.

By April 2022, 53 separate state banking regulators (including at least one from every state in America) banded together under the CSBS to launch a coordinated investigation of Bayview’s cybersecurity practices from 2020 through 2022. The settlement order faults Bayview for a rough start; the companies “did not initially fully and completely comply with the examination authority” although Bayview eventually changed its tune and fully cooperated later. 

More alarming were all the poor IT security practices the states’ investigation uncovered along the way, including: 

  • Insufficient IT patch management
  • Weak centralized oversight of IT vulnerability remediation, monitoring, and reporting;
  • Insufficient tracking of IT inventory;
  • Failure to encrypt personal data while the data is at rest.

The CSBS report did stress that none of the above failures directly led to the 2021 malware attack; that was caused by the errant employee. Still, the findings read like a greatest hits catalog of IT control failures, and they also constitute violations of various federal and state-specific compliance rules. 

Bayview and its affiliates neither admit nor deny the findings in the CSBS report, and had no statement on the settlement that I could find. 

Remediation Step 1: Governance

First, Bayview itself and its three mortgage affiliates must all adopt a corporate governance framework “commensurate with its size, operational complexity, and overall risk profile” and conforming to standards established by the Conference of State Bank Supervisors. 

That framework is meant to force senior management at each of the businesses to exercise their cybersecurity and IT risk oversight duties more vigorously. Specifically, the management team will need to:

  • Maintain a written information security policy, which will need to be reviewed and updated as necessary every year.
  • Review and update the business continuity plan as necessary every year.
  • Review and update the incident response plan as necessary every year, paying particular attention to the roles and responsibilities of the network operations center and the security operations center.
  • Adopt written policies for configuration management, data protection, identity access and management, IT vendor management, and other issues.

In other words, Bayview and its minions will need to get into some pretty granular detail about their IT risk management efforts. The whole point here is to drive oversight of cybersecurity and IT risk up the command chain, forcing senior leaders to treat those things as the strategic risks they are — not as mere operational or compliance risks that can be left in the hands of lower-level folks.

Yes, lower-level folks will do the actual writing of those policies and plans; but senior leaders still have a duty to review those documents and ask questions about whether the policies and plans make sense given the company’s risks. Senior leaders will need to be engaged on the issue, and the corporate governance framework is a forcing mechanism to do that. That’s the lesson here. 

And More Remediation

Beyond those governance requirements at the top, Bayview and its affiliates will need to do lots more to put those lofty cybersecurity goals into effect. 

For example, each business will need to build a risk management program to address its IT and cybersecurity risks, and the program will need to comply with data protection standards set by the Federal Trade Commission (16 CFR. Part 314, known as “the Safeguards Rule”) and the state of New York’s Department of Financial Services (23 NYCRR 500, known as “the DFS Rule”). So that’s a lot of administrative, technical, and physical safeguards that the firms will need to implement.

Getting even more granular, the settlement also spells out that the firms must implement encryption of consumer data when that data is “at rest,” and must cap the number of administrator accounts “to the amount necessary for business operations.” Plus, the companies must also maintain a formal system to monitor, track, and document all material issues and findings identified through normal risk management activities, such as any hiccups uncovered by internal audit.

controlSpeaking of: Each company’s internal audit team will need to perform an audit of the IT and cybersecurity program, and those teams must “maintain an audit schedule that is prepared on a multi-year basis to ensure that applicable IT risk areas are audited with an appropriate frequency, with the objective of auditing critical and high-risk areas of the IT and Cybersecurity program at least annually.” 

The companies must also develop specific plans for IT vendor management, patch management, and vulnerability management. All of those subjects should be familiar territory to IT security teams; the point here is that this settlement is forcing the firms to come up with specific plans and procedures to tackle those issues in a disciplined way, so that progress reports can be shared with senior management and everyone stays on track.

Finally, the companies must hire an external consultant who will perform his own review of their corporate governance and risk management efforts, and make recommendations for improvement as necessary. (So, kinda sorta like a compliance monitor, but not quite as expensive and scary.) The consultant will share his findings with the state regulators’ oversight committee, and the companies will then need to include his recommendations into their corrective action plan.

Wider Lessons on Cybersecurity

If we wanted to call out any themes from this case that might resonate more broadly, it’s the importance of tying together the strategic and operational dimensions of cybersecurity. That’s what this settlement order is prodding Bayview and its minions to do. 

A corporate governance framework will, ideally, hold senior leadership accountable for thinking about cybersecurity issues at that strategic level — but part of thinking about it at a strategic level is assuring that cybersecurity is properly addressed at the operational level. 

That is, it’s not enough for senior leaders to say, “Yep, cyber is important, so you junior executives get on that.” They must think seriously about what the organization’s cyber risks are, and push the junior executives to devise specific, actionable plans to manage cyber on a daily basis. Those specific, actionable plans must include progress reports that go back to senior management, to provide tangible evidence of what’s going on within the enterprise and how well controls are or aren’t working to keep risks in check.

You can see glimpses of that idea in this settlement order. The requirements for specific plans for IT vendor risk, patch management, inventory tracking — those are tactical issues that lower-level staff will handle; but the performance of those tactical issues will also go into the reports that senior management sees to assure that cybersecurity is working well at the strategic level. 

That’s how cybersecurity will need to work for all organizations, from here forward. A good governance framework will be the chassis that gets you there, while specific remediation steps are the fuel that propels you forward. 

Leave a Comment

You must be logged in to post a comment.