720-891-1663

Cyber Security Services for Mortgage Lenders

A mortgage lender provides various services and products designed to help borrowers and brokers originate loans. Lenders also have to package and sell, audit and/or service loans that they have closed. Finally, lenders either provide or coordinate ancillary services such as title policies.

In this capacity, your company has access to a wide variety of sensitive client personal and business information, including PII on borrowers, tax returns, financial statements, banking information, credit card numbers, and credit applications. Additionally, mortgage lenders may utilize older, legacy mortgage processing software applications that were not built with security in mind. Therefore, they may be very vulnerable to hacking and attack. Finally, mortgage lenders' systems are regularly accessed by many third parties - any of whom could be a threat - like what happened to Target when their system was breached via a third-party plumbing company.

Today, lenders must comply with the specific requirments of the Gramm-Leach-Bliley Act (GLBA) which includes implementation of an Information Security Plan. Additionally, lenders must meet quickly changing compliance and regulatory demands of the CFPB, FTC, FDIC, FFIEC and state regulatory entities.

Your company's reputation would be seriously damaged if the firm suffered a cyber breach and if the breach was bad enough, it could possibly threaten your very survivability. Regulators are taking a fresh look at the mortgage lending industry, and clients are starting to ask basic questions about how companies protect their information.

The initial goal of your effort is to reach a point where you can truthfully provide positive answers to the following questions:

1. What are your legal and/or ethical responsibilities to protect client information?
2. Who in your firm has the ultimate responsibility for protecting sensitive client information?
3. Are these responsibilities defined in the engagement letter or contract between you and your clients?
4. Who has access to client information and how does your company control access?
5. What other steps does your company take to ensure that the information described above is correctly protected?
6. What are your policies and procedures regarding notifying clients in case of a cyber breach?

Mortgage Lender Cyber Security Program Components

  1. Risk Assessment. We spend time with your leadership and any in-house or third-party computer service providers that your firm uses and ask some very specific questions. In addition, we identify critical applications, major data flows, external and remote data access, and other potential risk areas and apply various external technical tools. We will produce a prioritized risk assessment document outlining our findings and recommendations.
  2. Cyber Security Policies. Most mortgage lenders have no (or inadequate) cyber security policies. We review what you have and provide you with a set of ten draft cyber security policies and an associated framework designed to work in a mortgage lending firm that you can review, edit, approve, and implement. Each situation is somewhate different, therefore the basic policy list may vary from firm to firm, but the following list of policies gives you an idea of what to expect:

    -Client Data Protection Policy
    -Access Control Policy (includes the Password Policy)
    -Security Awareness Training Policy
    -Software Patch Management Policy
    -Firewall Configuration and Logging Policy
    -Encryption Policy
    -Remote Access Management Policy
    -WiFi Management Policy
    -Third Party Vendor Management Policy
    -Incident Response Policy

    Additional policies are available upon request.

  3. Attorney Architected Privacy Policy. This is a separate policy because it needs to cover your website and also your business, and they ultimately need to be "harmonized" with other organizational documents. The draft Privacy Policy we will provide to you was written by an attorney who also holds the following certifications: CISSP (Certified Information Security System Professional), CIPP (Certified Information Privacy Professional), and CEH (Certified Ethical Hacker). This is what you need...starting with anything short of this, is only asking for trouble later. You will need to review this policy and make sure it is appropriate for your organization. This privacy policy needs to be harmonized with your business practices, data collections practices, and client contracts. This privacy policy template will provide the framework to allow your attorney to do this.
  4. Cyber Security Awareness Training. Your people are always your weakest link--this includes your most senior partners. Do not fool yourself...everyone must be trained. We have already vetted tmany cyber security awareness training programs and have found a great value for you and we know how to deploy and manage it in the most cost-effective way possible. In todays world of business email compromise and phishing attacks, all organizations should be conducting test phishing email exercises. Our vetted solution allows you -  or us on your behalf - to conduct these test exercises and see who needs additional training.
  5. Technology Enhancement. We will make recommendations that allow you to use existing technology resources to get more security bang for your buck. Our goal is to help you make meaningful security progress without spending more money on new systems or personnel.

Mortgage Lender Cyber Security Program Cost Estimate for Up to 25 Staff (see full details HERE)

Risk Assessment (assuming 25 staff or less) $2,500
Eighteen Draft Cyber Security Policies Architected for Mortgage Lending Companies 2,950
Attorney Architected Privacy Policy 1,000
Cyber Security Awareness Training (per year for up to 25 staff) 750
Technology Enhancement 0-2,000
Total Security Program Cost Estimate $7,850

Additional Services Available Separately

  1. Vulnerability Assessment
  2. Security Development Lifecycle Review for Internally Developed Software (SDLC)
  3. Application Security Assessment
  4. Cyber Liability Insurance Review
  5. Third-party Vendor Security Monitoring. We have vetted and are a re-seller for the premier third-party vendor monitoring solution. This solution generates a daily security score on any vendor's network without requiring access to that network.
  6. Penetration Testing

While every situation is different (and your costs may vary), you can see that it is totally feasible to get your firm to the position where it can truthfully and positively answer the six client questions above for a very reasonable sum. Any service above can be purchased on an a la carte basis.

NOTE: Implementing the above program will make purchasing cyber insurance for your company a whole lot easier. We can also help you navigate the murky waters of the cyber security insurance world and assist you in getting the appropriate insurance coverages.  Since cyber insurance is increasingly becoming an important component of risk management for any law firm, please see our cyber insurance discussion that illuminates issues and risks involved.

Please call us TODAY for more information: 303-997-5506

© 2025 Copyright , All rights reserved. Privacy Policy Last Updated June 21, 2022

Use Our New Secure AI Agents to Build Your Business. Explore Custom AI Solutions with AgentFarm.ai ! Learn More.