In recent years, my role at LoanLogics has expanded into responding to vendor due diligence inquiries for new and existing clients. While traditionally it has been larger banks that require an in-depth assessment, I’ve noticed an increasing amount of small to mid-sized financial institutions who too are asking the hard-hitting questions around information security (infosec). And, they have every reason they should be.
Not only is our industry a digital and sometimes paper pipeline flowing with highly sensitive PII (personally identifiable information) between counterparties, but it’s not immune to a breach – even attractive to those with malicious intent. Just a few weeks ago the mortgage industry was hit by a ransomware attack. As I write this, the depth of its inner workings is still being investigated and made public.
To level set, infosec refers to the processes and tools designed and deployed to protect sensitive business information from everything from misuse to disruption and destruction. How are organizations mitigating risk and reducing the impact that an infosec incident would create?
Part of the vetting of our infosec controls, includes our annual Soc 2 Type II audit testing by an independent third party. There are plenty of resources on the web describing what this type of testing entails but one website describes the report simply as one that addresses an organization’s internal controls in how it safeguards customer data and how well those controls are operating. These revered reports cover the principles of Security, Availability, Confidentiality, and Privacy.
Additionally, we provide clients and prospective ones with a standardized information gathering (SIG) questionnaire on our policies and procedures related to infosec, business continuity, security, and the like. This robust database can be made available with a signed LoanLogics NDA. Oftentimes, the information catalogued in our system extends far beyond what many vendor due diligence questionnaires ask of us.
As part of the sales process, I share LoanLogics’ commitment to security and compliance before a formal due diligence is requested. Why you ask? Well, it is an important differentiator for us. While no one is 100% immutable against an attack,……..What’s the old adage? “Where there is a will, there is a way.”
An increasing amount of mortgage technology is operating in the cloud. More data is being collected and exchanged. Because of that, I advise you to do your infosec homework on prospective vendors earlier in the review process. Get a comfort level that the company you’re looking to do business with has ample tools and controls in place to protect you and your clients.