Article suggestions
Small mortgage companies face the same regulatory expectations as larger institutions when it comes to identifying and managing risk. Even with one or two branches and fewer than fifty employees, regulators expect management to conduct an enterprise-wide risk assessment (EWRA) that evaluates exposures across operations, compliance, cybersecurity, and customer interactions. The EWRA provides a structured way to document where risks exist, how they are controlled, and how often those controls are reviewed.
We have received numerous requests from companies who are NOT under a current examination or have recently completed an exam to provide specific plans. Here are instructions for how to locate, extract, and give these SPECIFIC plans to the regulator.
Iowa is a participant in the SES system. But they have their own rubric of items included in Cybersecurity they want to see.
Michigan, for all of the detail required, is extremely transparent about its expectations for examinations. The pace of exams is picking up, so you may wish to review what they require in what they call the "Visitation Handout":
New York regulators recommend having these assessments and tools regularly reviewed.
New Focus on Cyber Security in SC Exam
It’s every lender’s nightmare: a borrower receives a hacked email that looks legitimate, wires funds to the fraudster’s account, and suddenly the closing is in jeopardy. Unfortunately, this type of wire fraud has become one of the fastest-growing cybercrimes targeting mortgage transactions. Under your 2-9 IT Security Program, you should be prepared with a structured response plan to minimize loss, assist the customer, and demonstrate compliance to regulators.