LAS VEGAS -- Cybersecurity is always a chief concern for many credit union executives, but with news of the Equifax hack having hit just days before this year’s American Credit Union Mortgage Association conference here, the subject was even more topical than usual.

A panel discussion on mortgage banking cybersecurity risks touched on many issues of the day, and it included a reminder that regulators are watching.

A panel discussion on cybersecurity during the 2017 American Credit Union Mortgage Association conference. From left to right: Tracy Ashfield, president, Ashfield and Associates, Tim Segerson, deputy director, Office of Examination and Insurance for NCUA, Todd Hougaard, product manager with Mortgage Cadence, William Burding, Jr., executive vice president and general counsel for Orange Coast Title Company
A panel discussion on cybersecurity during the 2017 American Credit Union Mortgage Association conference. From left to right: Tracy Ashfield, president, Ashfield and Associates, Tim Segerson, deputy director, Office of Examination and Insurance for NCUA, Todd Hougaard, product manager with Mortgage Cadence, William Burding, Jr., executive vice president and general counsel for Orange Coast Title Company

Tim Segerson, deputy director, Office of Examination and Insurance for NCUA, led off the panel discussion risks by stating, “Consumer privacy and security is the responsibility of the entire organization. There needs to be a culture of security throughout the organization.”

Todd Hougaard, product manager with Mortgage Cadence, agreed, saying, “The IT department can only go so far. Everyone says they follow procedures, but if you question them closely they will acknowledge making exceptions.”

Tracy Ashfield, president, Ashfield and Associates, said time and performance pressures can cause some people to cut corners.

“We tell mortgage officers to follow the employee handbook, but sometimes it is Sunday morning and we need a document, so members scan their W-2 and e-mail it. That is something we cannot control.”

According to NCUA’s Segerson, the credit union industry is going to have to move in the direction of greater consciousness of security – and figure out a way to do so without retraining or stifling innovation.

According to Ashfield, there are a cornucopia of vendors and third parties involved in the mortgage process, especially for credit unions that lend in multiple states. And, as William Burding, Jr., executive vice president and general counsel for Orange Coast Title Company, reminded, “It only takes one person in a title company to screw up the entire process.”

With that in mind, said NCUA’s Segerson, credit unions must understand the types of information they have and know who they are doing business with before they interact with a vendor.

Movement must collaborate on security

The CU industry needs to continue to collaborate, Ashfield said, asking Hougaard for his vision for what that will look like while protecting the supply chain?

“There is a lot that can be done,” Hougaard said. “Criminals are looking at big data and AI. To elevate the discussion, we have to start by finding some different conversations to have. We need to have conversations across the industry and learn from each other. Credit unions should talk to their other local credit unions and ask, ‘How are you guys doing this?’”

One barrier to best practices in security is not everyone in IT departments at large credit unions really knows all about how the mortgage process works, Ashfield noted. So how does the dialog begin?

“Portals were going to be a be all, end all,” Orange Coast Title’s Burding observed.

Added Hougaard: “Look at the changes that are taking place, PayPal or Uber being examples, involving connected networks. The ACH network was founded by people saying, ‘We need a way to move money.’ We are probably going to have to find a way as an industry to establish trust.”

NCUA’s Segerson said credit unions across the United States are working on distributed ledger technology, sometimes called blockchain. “That is not just for moving money back and forth,” he said. “There is an opportunity in the industry to build a standards-based relationship.”

What keeps you awake?

Ashfield asked the panel: What keeps you awake at night? Mortgage Cadence’s Hougaard said, “IT, because there is no system that is not hackable.”

NCUA’s Segerson said despite all the security challenges, it is important that credit unions do not become “catatonic.”

“Make sure we are aware and addressing the processes and systems,” Segerson advised. “Adapt your processes to address interactions with third parties. Make sure they are walking in your shoes.”