BLOG

Question – With the onslaught of breaches affecting the mortgage industry, what can a mortgage lender do to prepare?

Answer:

There are numerous ways mortgage lenders can prepare to not only try and prevent a breach, but to respond in the event that one does occur. This FAQ focuses on best practices related to a mortgage lender’s incident response procedures.

Maintaining a comprehensive and actionable plan that can be easily and efficiently implemented if a breach occurs is vital for a mortgage lender. A well-developed plan will include, among other things, written procedures that identify roles and responsibilities within the company (including contact information for critical personnel), as well as how and when to report incidents to regulators, agencies, law enforcement, business partners, and/or customers. Mortgage lenders should be aware of their reporting requirements before a breach occurs. This will involve reviewing applicable federal and state statutes, agency guidelines, and agreements with business partners. It may also involve drafting template notices to be used in the event of a breach. These notices will need to be revised and finalized if a breach actually occurs, but may assist in meeting reporting deadlines, which can be as short as two calendar days.

A mortgage lender should also consider what type of outsourced resources it may need in the event of a breach. For example, identify the company’s mission critical vendors in advance of an issue. Also, consider whether the company would need to retain third party assistance if a breach occurs – i.e. a cybersecurity specialist, law firm, and/or public relation firm. If so, identifying and vetting these resources upfront and before an issue arises could prove valuable.

Mortgage lenders must dedicate time and resources towards developing an action plan ahead of a breach. A mortgage lender should not be creating or reviewing a template incident management response plan for the first time following a breach. Once developed, hard copies of the customized plan should be available to all critical personnel with incident response roles. The company should also test the plan regularly so that critical personnel understand their roles and responsibilities and to ensure proper execution, while improving the plan based on information learned from the exercises.