top of page
  • Writer's pictureTodd Luhtanen

The Countdown to Catastrophe; Why a Thorough Security Audit is Non-Negotiable

December 4, 2023

By Todd Luhtanen, CMT, COO at BlackFin Group

Catastrophe Is Coming

In today's digital age, the importance of cybersecurity for businesses cannot be overstated. It may seem like the headlines are straight out of the latest futuristic movie and the risk is something for others to worry about. You may think it’s not going to happen here, but the threat is real, and hackers are not some bored kids breaking security protocols for fun and bragging rights. The threat actors are international criminals, and the digital world brings everyone into the cross hairs for attack. The threat is real the consequences are dire, and reality is it will knock on your door eventually and it will be sooner than later.

Consequences Are Dire

The consequences of a data breach are severe for both your business and its customers, ranging from financial losses to damage to the company's reputation.

First, you handle sensitive financial information and personal data from your clients including Social Security numbers, bank account information, credit history, and other sensitive data. Any breach of this information can lead to severe financial and reputational damage to you and your clients.

Secondly, federal and state laws and regulations require you to maintain certain security standards. For example, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions, including mortgage lenders, to safeguard their customers' sensitive financial information. Failure to comply with these regulations can result in severe penalties, including fines and even loss of your business licenses.

There have been several instances where mortgage companies have suffered security breaches. Here are a few examples:

  • The data breach at Wells Fargo had resulted in the exposure of sensitive data of over 1.4 million customers, including names, Social Security numbers, and account balances. As a result, Wells Fargo faced a wave of criticism and negative publicity, and the company was forced to pay a $3 billion settlement to the US government for multiple reasons including the breach.

  • First American Financial Corp, one of the largest title insurance companies in the US, suffered a data breach that exposed over 800 million records containing sensitive financial and personal information.

  • Many lenders have suffered a data breach that exposed the personal information of up to a million customers, including names, Social Security numbers etc. resulting in multi-million-dollar settlements.

Bottom line is the risk is real and you are in the cross hairs of hackers. Without a plan your risk profile is high. Even if you have a plan it needs to be reviewed regularly to insure it’s robust and up to date. Evaluating your compliance with applicable regulations and adopting industry best practices will help ensure that you are adequately protecting your systems and data.

You Can Never Be Too Sure

The large amounts of sensitive customer data lenders process and store make you an attractive target for cybercriminals. You need to be sure that every potential vulnerability for a hacker to exploit is shored up. You must ensure thousands of access points are secure, they only need one to get in. The best way to be sure is by performing regular security audits. These audits allow you to actively identify and tackle any vulnerabilities in your systems and processes. They also ensure that you meet all regulatory requirements.

Regular security audits are not just a box to check; they demonstrate an unwavering commitment to protecting your business and maintaining the trust of your customers. The audit is a comprehensive review of your organization's information systems, policies, and procedures to ensure they are secure and protect against potential threats.

There are several critical areas of concern that you should consider, including:

  • Access Controls: Access to sensitive data must be restricted to authorized personnel only. Access controls for both physical and digital systems must ensure that only authorized individuals have access to sensitive information.

  • Data Protection: Sensitive customer data must be protected from unauthorized access, theft, or disclosure. Policies and procedures must cover data protection, including encryption, secure storage, and secure transmission of data.

  • Incident Response: A well-defined incident response plan must be in place to handle security incidents effectively. The incident response plan must be comprehensive and include procedures for detecting, responding to, and reporting security incidents.

  • Vendor Management: Third-party vendors that have access to sensitive customer data must be restricted and monitored. Your organization's vendor management practices must ensure that vendors are adequately vetted and that appropriate controls are in place to manage the risks associated with third-party access to sensitive data.

  • Training and Awareness: All employees must be aware of your organization's security policies and procedures and receive regular training on security best practices. A review of the organization's training and awareness programs must ensure that they are comprehensive and effective.

  • Regulatory Compliance: Current regulatory requirements related to data privacy and security must be addressed. Your organization must maintain compliance with relevant regulations and industry best practices, including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Payment Card Industry Data Security Standard (PCI DSS). Regulations change with the frequency of new technology (or at least they try to keep up). This makes frequent review of compliance essential to your security plan.

6 Steps to Lowering Your Risk

The best way to improve your risk profile is a comprehensive review of your organization's security exposure, including risk assessment, compliance review, technical testing, and recommendations for improvement. This will help your organization identify vulnerabilities, prioritize actions, and improve their security posture. Here are some critical steps to include in your security audit:

  1. Scope Definition: The first step in a security audit is to define the scope of the audit. This involves identifying the systems, processes, and data that fall within the scope of the audit.

  2. Risk Assessment: Conduct a risk assessment to identify potential threats, vulnerabilities, and risks that could compromise the security of your organization's systems and data. The risk assessment includes identifying the likelihood and impact of a security incident.

  3. Compliance Review: Review your organization's compliance with relevant regulatory requirements and industry best practices. This includes reviewing policies and procedures related to data security, access controls, and incident response.

  4. Technical Testing: Perform technical testing to identify vulnerabilities in your organization's systems and networks. This includes vulnerability scanning, penetration testing, and other testing methodologies to identify potential weaknesses.

  5. Report and Recommendations: Post-audit reports summarize the findings and provides recommendations for improving your organization's security posture through a prioritized list of action items to address the vulnerabilities and risks.

  6. Follow-up Review: Once your organization has implemented the recommended changes, they should conduct a follow-up review to ensure that the changes have been implemented correctly and that the security posture has improved.

Avoid the Catastrophe

The threat is real and will always be a part of the digital business environment. The potential consequences of a data breach and cyber-attack on mortgage lenders include financial losses and reputational damage. But there is hope. To avoid a catastrophe conduct regular security audits and protect sensitive financial information, mitigate risks, and stay in compliance. Contact BlackFin Group today to schedule a security audit, or to review your current protective measures.

About the author: Todd Luhtanen knows mortgage lending technology like the back of his hand. He’s the COO of BlackFin Group, a consulting firm that helps banks and mortgage lenders with their business challenges. He’s been in the industry for over two decades, creating lending solutions and advising businesses on how to grow and improve. He also co-founded one of the first Loan Origination Systems ever. Besides that, he runs Talan Consulting and loves to find new and unique ways to improve business operations and efficiency in the lending world.

33 views0 comments

Recent Posts

See All


bottom of page