Alok Datta of SLK Global Solutions America on Information Security
By MBA Insights Staff
May 6, 2019
Alok Datta is president of SLK Global Solutions America, Dallas, a business process management provider for the financial services industry. A former vice president of Genpact, he has more than 20 years of mortgage industry experience. He can be reached at email@example.com.
MBA INSIGHTS: Recently, TechCrunch uncovered a massive data breach involving mortgage loans, including birthdates, names and Social Security numbers. It wasn't the first time the mortgage industry had been involved in such a breach. Why won't it be the last?
ALOK DATTA, SLK GLOBAL SOLUTIONS AMERICA: The reason it won't be the last breach is that there's so much mortgage data to protect. From the consumer's perspective, getting a mortgage is one of the most intrusive processes within the financial world. Borrowers are required to share an extraordinary amount of personal information to get qualified for a loan. Generally speaking, the more data our industry handles, the greater the potential exposure.
Recently, there has been a significant push toward protecting borrower data through new regulations such as New York Department of Financial Services Cybersecurity Regulation and the EU's General Data Protection Regulation. While most lenders have embraced these new rules, however, many have not internalized the concept of cybersecurity holistically. One of the main reasons for this that the cost of compliance has increased significantly in recent years, and coupled with lower volume, lenders are facing considerable margin pressures. Unfortunately, this has resulted in lenders and third party providers taking short cuts, which in turn leads to breaches.
Currently, many lenders are embracing technology to reduce costs and improve margins. But without the right checks and balances in place, technology can actually increase the risk of a breach. For example, a growing number of lenders are outsourcing their technology needs, but they aren't performing proper due diligence before selecting a provider. Many providers, meanwhile, are small companies or recent startups that perform time-based projects, which are often left unfinished or untested. These providers are not interested in long-term partnerships with the lenders they serve; they work on one project and quickly move onto the next one. Many of these providers are unconcerned or even unaware of our industry's growing information security needs, and therefor prone to making careless errors.
INSIGHTS: The breach apparently involved a third-party provider. Shouldn't that send alarm bells ringing among mortgage providers and servicers?
DATTA: Absolutely. This is a wakeup call for our industry. Today's lenders require robust information security protocols, which starts with creating an information security framework that includes server controls, encrypted online data transfer, data integrity, access to right party and due diligence of third party vendors.
Before partnering with any service provider, lenders should scrutinize them carefully. This scrutiny should include the provider's software, the servers they use, the skillsets they have and their experience in the industry. Really, lenders should only trust mature, experienced providers when it comes to protecting borrower data. It's fine to have great technology that accelerates loan production, but great technology alone is not enough.
INSIGHTS: Was this a case of criminals becoming more sophisticated, or simply a failure of the provider?
DATTA: I would say it was a failure of the provider. Breaches generally happen because of human oversight or negligence. In the recent breach, the data was lying exposed online without any protection. There must be a greater emphasis in our industry on compliance training and education, including refresher courses, stronger password protection and communication protocols, and greater sensitivity among a lender's staff on data handling and management.
At the same time, we cannot underestimate that cybercriminals are getting more and more sophisticated. Anonymous browsing, deep web, dark web controlled through Tor/Onion and many others have become gateways to breaches and cybercrimes that most of us aren't yet even aware of. These are experts we are talking about. In such instances, even a slight error from our side can cost billions of dollars and jeopardize the financial lives of thousands borrowers. It's a never-ending challenge.
INSIGHTS: What steps could have been taken to have prevented this data breach?
DATTA: This may sound old school, but lenders must either store critical mortgage documents only on their own servers or be able to have complete control over where and how information is stored. This obviously wasn't happening in the case of this recent data breach. I am not averse to cloud storage, but it's critical to determine what information can be stored in the cloud and what information must be kept within a lender's own systems.
While working with third-party service providers, lenders must do their enterprise security assessments, vulnerability assessment and penetration testing and software vulnerability testing. Most importantly, lenders should only let a service provider access their data though a virtual network. Employee awareness and education cannot be under-emphasized, either.
INSIGHTS: What kinds of security services does SLK offer clients to protect private data?
DATTA: Our infrastructure is such that a lender's data is never on our systems-it is always within their U.S.-based servers. We maintain an enterprise security resource group that has the relevant certifications to not only maintain a safe internal information security environment, but can also offer these services to our clients. We've also amassed a number of important certifications that help ensure the trust of lenders in our services. Our IT environment is ISO and GDPR certified for information security, ISO certified for quality, BCP and SSAE 18 certified for controls and PCI certified for payments. Plus, we are also regularly audited by banks and third parties. They primarily focus on is whether SLK is abiding to the set business/contractual requirements WRT processes and information security management systems, or ISMS.
Finally, compliance is ingrained in our employees from the moment they join our company, from obtaining compliance certifications during their onboarding process, to taking part in refresher courses, annual re-orientation and assessment, being exposed to surprise checks, to using visual content on password protection to performing phishing tests and much more. Regular Information security awareness drives are conducted to make sure employees are aware of new developments and best practices. It's the responsibility of our information security team to ensure all our employees are aligned to the overall vision of compliance and data integrity.
INSIGHTS: When you are first working with clients, what kind of security measures do you test or look for? Do you find that you can recommend different options?
DATTA: We test everything and we can usually recommend multiple options, depending on the client's needs. When we work with a client, our enterprise security resource group and the client's information security group collaborate to design a secure environment that meets both our standards as well as the client's specific requirements. The same of set of teams or third-party auditors then test the new environment to make sure all security measures are in place. When we first start working with clients, we often recommend certain practices the client is not aware of. This comes from our 17 years of experience working with many different financial services companies, banks and especially mortgage lenders and servicers. Over that time, we've pretty much seen it all. Cybersecurity is a constant challenge, but it's a challenge we embrace.
(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA Insights welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at firstname.lastname@example.org; or Michael Tucker, editorial manager, at email@example.com.)