Brokerages advised to build a culture of cyber vigilance

SUBMITTED BY PROLINK CANADA'S INSURANCE CONNECTION

Mortgage brokers and administrators are among the most valued members of the financial services industry. That’s the good news. The bad news? Cyber criminals target the financial services industry more than most other sectors. Why? Because of mortgage brokers’ access to confidential personal and financial information, not to mention valuable third-party connections to lenders, credit agencies, investors, law firms and more. Simply put, mortgage brokers either have the type of personal information that cyber criminals seek, or are a potential gateway to it.

According to the 2022 CIRA Cybersecurity Survey, 44 per cent of Canadian businesses indicate their organization has experienced an attempted or successful cyber attack in the last 12 months.

1. INSUFFICIENT CYBERSECURITY

Unencrypted connections, misconfigured servers, unpatched systems and other gaps in network security are clear entry points for opportunistic cyber criminals to infiltrate your network and compromise data. But while larger corporations can afford to strengthen their defenses, many small and midsize brokerages lack the funds to invest in proper safeguards or the personnel to maintain their upkeep once implemented. Many also rely on personal devices or free resources, like Gmail, Dropbox or Zoom, to conduct business, which are challenging to adequately secure.

Additionally, with many mortgage brokers – and their clients – now working from home or working on the go, attackers’ digital entry points have increased exponentially, with extra exposure from weak home security or even public Wi-Fi networks.

2. HUMAN ERROR

The typical mortgage brokerage has a fast-paced, entrepreneurial culture. While this environment is conducive to sales, it can pose a threat to data security. To close a deal quickly, a mortgage brokerage’s employees and subcontractors may bypass security rules by using a personal email to send client information or improperly access data that resides with the company’s cloud services provider. Or they might be so distracted that they misplace a personal device or fail to securely dispose of a client file. These actions could all easily put the brokerage at risk of a breach.

The rise of working remotely has compounded these issues. With many employees working far from the direct oversight of information technology (IT) staff and senior leadership, they might be less vigilant about installing software updates, maintaining password hygiene or using a secure connection. Alternatively, they might simply be unaware of how to handle sensitive data or even recognize the signs of a phishing attack or a breach.

3. THIRD-PARTY COMPROMISE

Many entrepreneurs incorrectly believe that doing business with a major cloud service provider (CSP), such as Amazon or Apple, or even a credit agency like Equifax, absolves them of any responsibility in the event of a breach.

However, under Canada’s federal privacy law PIPEDA, as well as various provincial regulations in Alberta, British Columbia and Quebec, your brokerage is legally obligated to protect clients’ data every step of the way, whether it is being stored onsite, in the cloud or running a credit check. Using a third party to collect, store, process or otherwise handle data won’t transfer liability, and the brokerage can still be held accountable and be sued for failing to protect client data.

WHAT ARE THE CONSEQUENCES?

Unfortunately, the repercussions from a cyber incident can be severe, leading to lasting financial, legal and reputational harm. Without proper protections in place, brokers and their staff risk losing permanent access to mission-critical data. As a custodian of personally identifiable information (PII), you could face penalties of up to $100,000 per violation under PIPA if you fail to collect, retain or dispose of personal information in your custody or report a privacy breach.

Then there are indirect costs, such as client notification, investigation, system downtime, business interruption and legal fees from any client legal suits. In fact, IBM Security’s 2022 Cost of a Data Breach Report puts the average cost per lost or stolen record in the financial services industry at $520. Even worse? Diminished goodwill from the breach might even do more harm than remediation costs, especially if you don’t take swift action or notify breach victims right away. Once you’ve lost that trust, it won’t be easy to regain or attract new clients, employees or even investors.

According to Derrick Leue, president and CEO of PROLINK-Canada's Insurance Connection, "It is imperative for mortgage brokers and brokerages to take preventative action and work towards a long-term cyber risk management strategy." Leue recommends that mortgage brokers focus on:

WHAT CAN YOU DO?

SECURITY: Add extra layers of protection to all networks and devices, such as multi-factor authentication (MFA) and endpoint detection and response (EDR) software. Encrypt data-at-rest and in-transit and routinely backup your information.

The typical mortgage brokerage has a fast-paced, entrepreneurial culture. While this environment is conducive to sales, it can pose a threat to data security.

Keep systems updated with the latest security patches. Develop a tailored incident response plan in case of a breach.

EDUCATION: Build a culture of cyber vigilance. Provide tailored security awareness training to all employees including how to handle sensitive data, use software safely, and identify, avoid and report potential harmful situations. Keep them aware of threats as they emerge and partner with a cybersecurity firm to offer high-quality training and simulations.

INSURANCE: General liability insurance won’t cover a breach, but a dedicated cyber insurance policy can help you protect digital assets, offset losses and help get your business back online. Plus, depending on your coverage, your policy may provide funds for your legal liability, a legal breach coach, public relations consultants, IT network forensic specialists, client notification and more. For more information, consult with a licensed insurance broker.

PROLINK-Canada’s Insurance Connection is an independent Canadian insurance brokerage that represents more than 30 insurance companies. Information: prolink.insure