SAN DIEGO – The quality of of data retained by the mortgage industry – borrower assets, and financial and personal records – as well as regulatory requirements to retain data make it attractive to cybercriminals.
Quicken Loans Chief Information Officer Linglong He pressed that point Tuesday during a general session panel at the Mortgage Bankers Association Annual Conference that addressed privacy, technology and cybersecurity.
Compliance doesn't equal cybersecurity, He continued.
Recommended For You
Unlike the credit card industry, which has devoted resources over the past 10 years to strengthening cybersecurity, the mortgage industry hasn't been as focused on the issue, Fannie Mae Vice President and Chief Information Security Officer Anthony Johnson added, making it a softer target.
Moderator Teresa Bryce Bazemore, president of the Philadelphia-based private mortgage insurer Radian Guaranty, asked the panel, which also included Teraverde Financial CEO James Deitch, how companies with limited resources can combat cyberattacks.
Deitch said between 60% and 80% of personal information lost during cybercrimes occurs not through a direct attack on technology systems but through social engineering, which includes phishing emails. Therefore, training and awareness is key.
He suggested firms utilize the MBA's Information Security Program white paper, which provides solutions that aren't expensive or highly technical to implement.
Johnson said cybersecurity training must communicate one simple lesson for employees: Don't talk to strangers.
"Most of our business lines do not do business in Eastern Europe or China," he said. "But we let our networks talk to them, and it introduces the question of why? Oftentimes when I talk to customers, they say well, I never really thought about turning that off. So, turn that off and that takes care of about 85% of the threats that are off there."
Although compliance has been costly for mortgage lenders, they must intentionally invest in cybersecurity too, the panel said.
"We've just been through TRID, and it's been a very all-encompassing experience, so find the resources to allocate some dollars to information security," Deitch said. "It's a process that every business – small, medium and large – has to objectively and tangibly go through and evaluate their risks and then match them to resources and spending."
When it comes to vendors and cybersecurity, forget the old adage of trust but verify, He said.
"Verify before trust," she said.
He said she was speaking with a peer who said he wasn't worried about his data because it was maintained off site by a vendor.
"You have to verify everything," she said. "You must conduct an assessment of their security policy, how they do it."
In fact, He said, mortgage lenders may want to visit vendors onsite to ensure they maintain high cybersecurity standards.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
