April 3, 2024
By Mike McChesney, Principal, BlackFin Group
At least 4 financial services companies in the mortgage business (First American, Fidelity National Financial, Planet Financial, and Mr. Cooper) have disclosed incidents involving cybersecurity breaches or ransomware attacks. These high profile attacks have been publicly disclosed. There are likely other events that have not yet been publicly reported. The impact of these attacks is both operational and reputational, and litigation around them has already begun. At the same time, banks such as JPMorgan Chase say hacking attempts are increasing. These events all point to the fact that for any players in the financial services or mortgage ecosystem, it is not a question of if you will be targeted but when. And don’t think of this as a purely technology risk. This type of event requires the attention of the entire C-Suite to prepare for and execute a response.
Your company may currently performs disaster recovery drills, likely annually, of critical platforms. These are great learning exercises, and they should drive operational or technology improvements following an after action assessment. But a disaster recovery or traditional business continuity test alone is not enough to address the unique cyber risks banks, CU’s, and mortgage bankers face today. Consider a ransomware attack and what your immediate response would be. Are you prepared to immediately execute your response plan? Have you asked and answered questions around each of these response components?
Activate your Incident Response Team:
Activate the incident response team with members from IT, cybersecurity, legal, communications, and senior management to address the attack comprehensively.
Isolate and contain the affected systems to prevent spread and contain the infection.
Have you engaged pre-selected third party experts to coordinate your response and provide the required level of technical expertise to diagnose and remediate the issues?
Understand and comply with legal and regulatory obligations related to data breaches and ransomware attacks.
Work closely with legal counsel to ensure compliance with legal and insurance requirements.
Perform Threat Analysis:
Analyze the attack variant to understand its capabilities, vulnerabilities, and potential mitigations.
Share threat intelligence with relevant cybersecurity experts to leverage understanding of responses to similar attacks.
Perform data recovery and backup
Identify and restore data from secure backups to minimize data loss.
Have you regularly tested backups and practiced recovery processes to ensure their effectiveness.
Execute Business Continuity
How will you close loans in the immediate term? Do you have contingency processes to handle immediate operational requirements and have you practiced these processes?
Are other critical systems still functioning and if not have you prioritized recovery based on available resources to restore?
How will you recover and are your recovery procedures effective?
Launch your communication plan
Do you have pre-developed messages for each required audience?
Notify regulators and law enforcement. Who will you contact and what will you tell them about the event and your response?
Internal communication – Who is authorized to speak to the press or respond to other external inquiries. What are you telling your customer facing teams and how/what will they communicate to impacted customers who reach out to you?
What is the timing and content of any regulatory required customer communication?
Negotiation Strategy:
Decide whether or not to engage in ransom negotiation.
If negotiation is pursued, work with law enforcement and experienced negotiators to ensure a controlled and informed process.
If you decide to pay, how will you use the keys and do you have a broker ready to accomplish a key delivery?
Do you have a playbook for managing your insurance coverage requirements. You must do certain things precisely and work with certain designated parties in order to preserve your insurance coverage.
Are your key vendors on standby and able to respond as necessary?
Post-Incident Analysis:
Conduct a thorough post-incident analysis to understand the root cause, identify weaknesses in cybersecurity measures, and implement and test improvements.
Document lessons learned to enhance future incident response strategies.
You must manage all of these complex issue concurrently, comprehensively, and immediately. If you haven’t performed one already, you should consider a tabletop simulation exercise. This will test all aspects of your response plan, and like an annual disaster recovery test, create valuable learnings about weaknesses in the plan. Addressing these weaknesses in a simulation will position you for the best possible response in today’s cyber risk environment. Each cybersecurity incident is unique, and an effective response requires a combination of technical expertise, strategic planning, and collaboration across all organizational functions. If you question your readiness to respond to today’s threats, call us and we can discuss how you can conduct a simulation to address any gaps in your incident response plan.
Mike McChesney, is a Principal Consultant with BlackFin Group in the Mortgage and Banking Technology Practice. Prior to BlackFin Mike served as CIO of Top Ten mortgage lenders, led many ‘first of a kind’ innovations, Executive Director of at Servicelink, CIO of Planet Home Lending, CIO of IBM’s mortgage outsourcing business and Director in KPMG’s Consumer and Mortgage Lending practice. For more information contact info@blackfin-group.com