The recent global ransomware attacks highlight the importance of robust information technology (IT) security in loan servicers' operational risk frameworks, Fitch Ratings says. Because servicers rely on technology, the robustness of IT security, disaster recovery and business resumption plans are an important part of Fitch's servicer assessments.
In Fitch's view, the fast pace of technological developments creates opportunities for improved efficiency and greater control of servicing activities. The unprecedented scale of the recent attacks, which took place in more than 150 countries, underscores that technology also brings significant risks if the potential threats to data security develop faster than companies' ability to mitigate them.
Fitch considers regular security threat testing to be best practice. In those instances where a servicer's IT infrastructure is provided by third-party suppliers Fitch expects the servicer to demonstrate appropriate oversight, including verifying that the third party maintains adequate security. Fitch also monitors IT staffing and ongoing technology hardware and software enhancements. Our servicer operational reviews consider management's information technology strategies, the experience of the technology staff and timeliness of updates and enhancements. Signs of a decreasing focus on maintaining a robust infrastructure could indicate increased continuity risk. Fitch also reviews the servicer's approach to data security to assess whether the policies and controls in place enable effective protection of borrower information.
Servicers rated by Fitch demonstrate appropriate and regular risk assessments and robust security policies. Fitch contacted all rated loan servicers following the ransomware attacks to confirm whether or not there had been any loss of confidential borrower information and/or disruption to servicing activities. So far, we have received confirmation from all servicers in EMEA and for those responsible for commercial mortgages in North America that their operations have not been affected. This is also the case for the residential servicers in North America that have responded so far.
A number of servicers we contacted indicated that additional security steps were taken in response to the attacks. This is consistent with our view that Fitch-rated servicers should have appropriate plans in place to maintain critical systems which might come under threat from an emergency.
Latest from Cyber Policy Magazine
- Aon and Guidewire Launch Cyber Scenario for a U.S. Dam Attack
- Generali Launches Its Fully-Dedicated Cyber Insurance Function And The CyberSecurTech Start-Up
- Silent Cyber Added To Willis Re’s Cyber Portfolio Management Tool PRISM-ReTM
- Companies Will Make Major Enterprise Wide Changes To Address Cyber Risk In 2018
- DAS Spain Launches DAS Cyberbullying Insurance