As cybersecurity costs rise, lenders ask: How much is enough?

Mortgage firms weighing painful and public layoffs in response to the market's downturn are quietly reckoning with another essential, rising expense. 

Cybersecurity is a critical tool for the trillion-dollar industry facing increasingly pervasive and severe data breaches. Lenders and servicers in the past 12 months have been hit hard by data breaches compromising sensitive information on millions of customers, which forced them to bear untold costs for responses.

The price of digital tools and labor to combat cyberthreats is climbing, experts said, and cyber insurance policies are rising as much as 40% leading some companies to drop policies altogether. Cybersecurity professionals are urging mortgage firms to tread carefully in making difficult balance sheet decisions.

"Even though the industry is feeling it, bad guys don't care, right?" said Arnel Manalo, chief information security officer and vice president of infrastructure for Evergreen Home Loans in Bellevue, Washington. "If anything, they're going to be more aggressive because they're looking on the outside saying, 'Maybe they aren't investing in security because times are tight, so we're going to push harder.' "

The financial impact of a data breach is at an all-time high in 2022, with an average cost of $4.35 million according to IBM research. Those expenses include lost business, detection, notification and post-breach responses. The mortgage industry is ripe for cybercriminals because of the massive amounts of personally identifiable information, like Social Security numbers, and large dollar amount transactions, experts said.

Banks, lenders, servicers, title companies and technology vendors hit by hackers rarely describe how attacks occurred, but in required disclosures they have revealed their scope, which in one instance affected as many as 2.6 million customers.

More expensive tools and labor

Digital tools are part of the rising cybersecurity budget equation. Software and hardware for cybersecurity professionals could cost upward of six figures, said Bruce Phillips, chief information security officer at West, a WFG Company. His firm provides security products and services for real estate agents, title companies and lenders. Cybersecurity professionals are also facing supply chain delays in deliveries of hardware, firewalls, routers and other physical tools.

"They can get really, really expensive, really, really, really, quick," Phillips said. "The requirements for the tools you have is increasing, so your stack is getting bigger. So part of the challenge is managing cost."

Experts declined to provide specific cost structures for cybersecurity services, pointing to varying company sizes and requirements. Phillips suggested a ballpark security budget of approximately $1,500 to $2,000 per employee per year, a figure difficult to adhere to given the industry's current woes. 

Labor costs are also rising due to factors beyond inflationary pressures. The U.S. only has enough cybersecurity workers to fill 68% of open positions, according to Cyberseek, an initiative between public and private partners. Finance and insurance sectors alone are estimated to be seeking 168,000 cybersecurity job openings.

Cybersecurity professionals could earn starting salaries around $70K to $80K, while pay could surpass six figures for experienced workers easily, experts suggested. Information security analysts, a common role, as of last May were paid an average of $128K by technology firms, according to the Bureau of Labor Statistics. 

Retention is also difficult in the competitive environment, Phillips said.

"Depending on where you're in the country, if you want to hire somebody to do security, stand by for sticker shock. It's going to be more expensive than you think," Phillips said. 

Businesses can hire professionals to their internal security operations center or outsource the around-the-clock monitoring to a managed detection response (MDR) provider. A small company, for example, could outsource MDR coverage for $40K to $60K, Manalo said, with costs rising to six and seven figures as businesses get larger. Banks can afford massive staff exceeding hundreds of professionals, Phillips said, while other firms count departments as small as a lone security professional.

Manalo declined to disclose Evergreen's cybersecurity expenses, describing the company's strategy as in sync with what the industry typically spends. Lenders and servicers declined to comment or didn't respond to requests for comment regarding the cybersecurity topic. 

"Most people are very careful or even worried to talk specifics about their cybersecurity," said Rick Hill, vice president of industry technology at the Mortgage Bankers Association. "That would include costs, because anything discussed publicly might point to how someone manages risk, which is something you don't want a bad actor to know about."

Cyber liability policies are also getting pricier, according to Tom Delaney, president of Bankers Insurance Service. The company operates as an insurer but doesn't take the risk; it's a managing general underwriter, meaning it engages with companies, takes applications, underwrites, quotes and issues policies on behalf of carrier partner Lloyd's of London.

Bankers issues the Mortgage Bankers Bond, a combination of a fidelity bond and mortgagee's errors and omissions protections, policies required by Fannie Mae, Freddie Mac, Ginnie Mae and other investors and warehouse lenders. The company has offered a cyber liability and breach response policy since 2012, which includes defense costs and damages from third party litigation, sometimes brought forward by affected customers. 

"We're seeing anywhere from 25% to 40% rate increases in the mortgage lending space," Delaney said.

While Bankers' fidelity bond and E&O coverage is required by the government-sponsored entities, other secondary market investors and warehouse lenders, a cyber policy isn't, experts said. Companies trying to cut costs can lower their policy limits and hike their deductibles; some companies have foregone policies altogether, according to Delaney.

"When you're talking about the non-required coverages like cyber liability you're in classic risk management decision making," Delaney said. "How much risk do I want to take on? How much do I want to insure? Tough decisions have to be made."

Mortgage companies aren't in lockstep when it comes to cybersecurity bona fides; just over half in an Arizent survey earlier this year said they're testing their own IT infrastructure's security, what experts called a glaring oversight. They're also behind their peers in financial services sector in utilizing artificial intelligence and machine learning tools in cybersecurity tasks, let alone business functions. 

Firms misaligned in their cybersecurity strategy can run into issues when applying for a cyber policy. Insurers have moved past the days of single-page questionnaires for companies and are deep diving into a company's cybersecurity bona fides from their use of multifactor authentication in numerous scenarios to MDR coverage, according to Manalo. 

"All of that has led to multiple costs, from an hour, effort and labor perspective," he said. "That's more time answering, that's more time building the product, more time building the program."

Mortgage players have responded to 2022's downswing by laying off staff, shutting lending channels and in two cases, shutting down entirely. It's unclear how they're assessing their cybersecurity budgets, but peeks into earnings reports and public comments reveal cuts mostly impacting loan officers, offshoring operations and marketing spending, among other moves. 

For the unnamed companies trimming or cutting cyber insurance policies, an attack could be catastrophic, experts suggested. That prediction isn't hyperbolic. Several smaller real estate companies went out of business because of the impact of last summer's Cloudstar ransomware attack while other small title and escrow firms are still watching recovery costs soar past $1 million, Phillips said. 

"The criminals don't care how we're doing," Manalo said. "If there's a weak target out there, if there's a way for them to take advantage of the situation, they want to take advantage."

For reprint and licensing requests for this article, click here.
Cyber security Fraud Industry News
MORE FROM AMERICAN BANKER