Can tech and cybersecurity audits deliver savings to lenders?

Img

A proper technology audit could save mortgage lenders much-needed cash during the housing market's doldrums.

Matt VanFossen, CEO of Absolute Home Mortgage, recalled one such change his company made in response to slower lending. 

A look inward prompted Absolute to begin requesting verification of income and employment reports later in the underwriting process, rather than using it to validate prospects lingering longer through mortgage applications. 

"What was giving you efficiency three years ago may not be giving you efficiency, and might actually be increasing your costs today," he said.

Tech audits can be wide in scope, but experts say they're crucial reviews of a company's controls and effectiveness. Not every audit will save a dollar, they warn. Some businesses could even be skipping critical cybersecurity audits amid tightening budgets, despite more frequent data breaches

"Broadly all audits are going to focus on what you should be doing, versus what you say you're doing," said Matt Lehnen, chief technology officer at Deephaven Mortgage. "Then are you putting into practice what you say, and what you need to do, and then proving that with evidence."

What's being audited, and how often?Home loans and origination statistics aren't considered in tech audits. A Sarbanes-Oxley Act audit, or SOX audit relating to how a company generates its financial statements, does have a technology component, said Shawn Malhotra, chief technology officer at Rocket Companies.

A technology-focused review looks at aspects from policies and procedures; server hosting; backup and disaster recovery; security protocols; infrastructure such as laptops and virtual desktop systems; and more. 

Another focus is the service level agreements between a company and its vendors. Malhotra said artificial intelligence is becoming a more important part of vendor assessments, in assessing whether business partners are using it to become more effective. 

"Are they thinking about the unique information security interests that arise with AI? Do they have the right kind of processes in place to ensure that they can deliver that responsibly?" he said. "That's a new emerging kind of part of the audit that has to be considered."

Government-sponsored enterprises in seller guides say companies are responsible for their own third-party oversight. A cybersecurity inspection meanwhile checks a wide swath of security operations against numerous cybersecurity frameworks.

A typical top-100 independent mortgage bank will have the capacity to conduct internal audits, while smaller-scale mortgage bankers will rely more on third-party auditors, VanFossen said. Tech professionals still recommend businesses retain an outside firm for an unbiased look at a company.

"My recommendation is to typically have a third party come in and audit," said Michael Nouguier, director of cybersecurity services at Richey May. "We don't owe that organization anything other than the truth."

The usual audit cadence is quarterly and annually, experts said. Regulatory changes, cybersecurity incidents, or internal information technology overhauls could prompt ad hoc inspections. Cybersecurity inspections, like penetration testing to find vulnerabilities in servers, could be conducted on a continual basis. 

"You don't want to be surprised if you only did an annual, and no other testing in between," said Lehnen. "There's ways for something to go into variance and you wouldn't know, so it's better to know sooner so you can remediate. The quarterly basis is what keeps it fresh."

What's in a cybersecurity audit?Risk mitigation assessments will be extremely thorough, testing and documenting every policy, control and system, experts said. 

There are numerous cybersecurity-specific frameworks auditors will test a company's controls against, among them the ubiquitous Service Organization Controls 2, or SOC 2 compliance. That standard, created by the American Institute of Certified Public Accountants, requires a certificate of verification. However, third parties can make the checks without a certification, said Jim Routh, chief trust officer at Saviynt and veteran of cybersecurity roles at major financial services firms.

Other prominent security frameworks cited by cybersecurity experts include guidelines by the federal National Institute of Standards and Technology, particularly its SP 800-53B controls. There's also frameworks by the International Organization for Standardization, and the 18 Critical Security Controls outlined by the nonprofit Center for Internet Security.

Controls inherent to a cybersecurity review include multi-factor authentication, encryption, security policies and procedures, and pen testing where experts attempt to hack into a company's servers.

While regulators may mandate cybersecurity reviews, a company will use more "raw and real data" for internal reviews, said Nouguier. 

Larger companies that build rather than buy their technologies may utilize an internal security team, said Jason Bressler, chief technology officer at United Wholesale Mortgage. The Pontiac, Michigan mortgage giant conducts its own in-house reviews.

"When we build our code, when we build our databases, when we own our data, we build it with security measures in place and then we're totally fully accountable for that," he said.

UWM still hires an outside firm to conduct a more comprehensive check, in line with professional suggestions that an unbiased actor takes a look.

Costs and savingsTypical audit savings are difficult to discern given each company's size and priorities, experts said. Scrutinizing a tech stack could give a business hints at where savings could be realized, such as a vendor not fulfilling an SLA, or in Absolute Home Mortgage's case, an expense that could be mitigated.

Malhotra, a tech industry veteran, pointed to usage data as a valuable data point. In past assessments throughout his career, the Rocket CTO said audits have shown tools procured in the past have not been used regularly.

"Yet, oftentimes, you're still paying the cost of licenses," he said. "So that's something that I think I've seen get cleaned up by in multiple areas."

Lenders could be limited in addressing findings quickly. Some products like a loan origination system could be hard to swap out, should a vendor audit find deficiencies.

"If you're going to swap out your (customer relationship management) or (point-of-sale) or product and pricing engine, these are maybe not as core of a system as an LOS," VanFossen said. "But you still have to look at what the cost of making that change is."

Alongside internal audit teams, internal department heads should be doing period assessments, a cost VanFossen describes as already built-in. Third party auditors meanwhile can cost upwards of tens of thousands, or hundreds of thousands of dollars, industry veterans said.

Richey May's Nouguier said $20,000 is a good starting point for a basic cybersecurity assessment. Extras can range from penetration testing to configuration reviews of Microsoft or Amazon Web Services applications. The audit expert warned firms of "free cybersecurity assessments" in which businesses can simply submit a survey to a vendor to assess their profile.

"That's not really looking underneath the hood," he said. "If my doctor sent me a questionnaire and said, 'What hurts,' and then said 'take some Tylenol,' I wouldn't feel taken care of."

Costs unrelated to the inspections themselves can also crop up in the form of a "cybersecurity breach hangover," Routh explained. Following an incident, regulators or auditors will pay more scrutiny to the company which fell victim. Subsequent cybersecurity audits could then cost up to five times more because of the "hangover". 

"Enhanced security is not necessarily a bad thing, but it's certainly a fundamental change and impacts both the resources of the cybersecurity team and auditors," said Routh. 

A spate of data breaches at major companies in the past 12 months has underscored that importance. Top industry players have acknowledged millions of dollars in expenses stemming from incidents. Other exposures meanwhile are likely yet to be realized

"Spending $100,000 or $200,000 on penetration testing and internal auditing, and making sure that your vendors are staying safe with your borrower information, I think you can't even put an ROI on that," said Bressler. 


More From Life Style