Monday, March 21, 2016

Time to Revisit Mortgage Vendor IT Security Reviews

A document management vendor spills files onto the street
It's an accident waiting to happen. Walking down the street through a busy downtown, I witnessed a reminder of the inadvertent problems you can encounter through exposure of customer information. A banker's box of loan files fell off a dolly and crashed into the street spewing customer information onto the roadway. Luckily, for this vendor, the wind was calm, and the driver picked up the materials and returned them to the box without further incident. For me, this highlighted one of the many concerns my clients deal with; information security plans.

Who's Touching Your Clients' Data?

In the image above, it's clear that the driver could have taken the opportunity to capture some information from those loan files. Why weren't the boxes sealed? These are some of the elements that a site inspection of a vendor can reveal. Always review your vendor's procedures.

Today most of our files are transmitted electronically. One client used this as a rationale for not having locked file cabinets in a shared office space. But the reality, upon inspection, revealed "relics" all over her office. Copies of documents she scanned were in shadow files. Other printed material was left in folders on desktops. We overlook that our landlords and cleaning crews have access to the physical space. Always lock your cabinets and leave a clean desk.

Nevada, New York, Pennsylvania and Other Picky Regulators

A slew of requests from Nevada and New York reveal that these regulators have identified the information security weaknesses in our offices. They demand companies have an information security plan, which includes a vendor approval process.

For brokers, particularly, this may seem like overkill, since they don't even have a chance to approve attorneys, appraisers and credit bureaus. They can only use companies previously approved by the investor or wholesaler. However, it makes sense in the context of the level of diligence the lender or broker uses in having the protection of customers' non-public information top-of-mind. Don't send customer information to anyone unless you have ascertained they have received screening from another regulated entity. Better yet, screen them yourself. 

A Vendor Management Information Security Self-Audit Example

You can combine these audits with other elements of your vendor review. For instance, if you have a credit bureau you are reviewing, in addition to their information security plan, you can access their Fair Lending and any other consumer protection policies. Remember that if your vendor is licensed in your state, you can rely on the state's examination of a particular element of the vendor approval.
If you would like a copy of the Vendor Self-Audit Checklist please e-mail me, or like our Facebook page. (Make sure you send me your e-mail address!)