assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts. 2. Monitor Internet traffic to the institution’s Web site to detect attacks. 3. Activate incident response plans and notify service providers, including Internet Service Providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts. 4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre- contracted third-party services, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack. 5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center8 and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics.
Computer Emergency Readiness Team (US-CERT),16 Understanding Denial-ofService Attacks.17 Jonathan Foxx is president and managing director of Lenders Compliance Group and Brokers Compliance Group, mortgage risk management firms devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted at (516) 442-3456, by e-mail at jfoxx@lenderscompliancegroup.com, or visit www.LendersComplianceGroup.com or www.BrokersComplianceGroup.com.
Footnotes 1—Update–Encompass Incident Alert (4/3/14): www.elliemae.com/network-status. 2—Ellie Mae Reports on System Outages, “Outage Consistent with External Malicious Attack, No
http://ithandbook.ffiec.gov/it-booklets/businesscontinuity-planning.aspx. 10—Information Security: http://ithandbook.ffiec.gov/ it-booklets/information-security.aspx. 11—National Cybersecurity and Communications Integration Center (NCCIC): www.dhs.gov/aboutnational-cybersecurity-communications-integration-center. 12—National Institute of Standards and Technology (NIST): www.nist.gov. 13—Computer Security Incident Handling Guide: http://csrc.nist.gov/publications/nistpubs/80061rev2/SP800-61rev2.pdf. 14—Distributed Denial of Service Attacks and Customer Account Fraud: www.occ.gov/newsissuances/alerts/2012/alert-2012-16.html. 15—Mitigating Distributed Denial-of-Service Attacks:www.ncua.gov/Resources/Pages/ RSK2013-01.aspx. 16—United States Computer Emergency Readiness Team (US-CERT): http://www.us-cert.gov. 17—Understanding Denial-of-Service Attacks: /www.us-cert.gov/ncas/tips/ST04-015.
FICO REDUCED TO
550 FHA,VA & USDA PROGRAMS
YOUR GO -TO LENDER FOR THE
TOUGHEST
6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
LOANS
www.CarringtonWholesale.com/toughloans
866-453-2400
OUR COMMITMENT TO OUR BROKERS IS UNSURPASSED. WE OFFER:
On-Time Closing Promise for FHA loans – 15 Day Clear to Close on qualifying purchase or refinance loans, or your borrower receives a $500 closing cost credit.* Plus, get a prequalification letter and enjoy our early disclosure service. Submit with no AUS. Restrictions apply. FICO minimums to 550 on government programs and expanded FHA guidelines that include manufactured housing and use of non-traditional credit. Expanded Operations Support. Multiple operations centers offering support across all time zones provides outstanding service and fast turn times.
*Carrington will process any qualifying loan from the time a loan file is submitted to underwriting to the time it funds within 15 business days of appraisal receipt or the company will apply a closing cost credit of $500 to the loan once the loan closes. In order to receive the closing cost credit, any delay that causes the loan to close more than 15 days after appraisal receipt must be due to Carrington’s independent processes. If the delay is due to the broker, borrower’s or third party’s action or inaction or any other circumstances outside of Carrington’s control, the closing cost offer will be void. This offer excludes some loan programs, such as VA loans, USDA loans, 203K Loans Short Sales, New Construction loans, loans requiring property repairs, inspection, or re-inspection prior to closing, loans requiring condo approvals and flips. Offer is subject to revision or cancellation at any time. The appraisal received date is recorded in Pipeline Manager for all qualifying loans. Some loans may require additional information and be returned. Exclusions apply; contact your Account Executive for details. © Copyright 2007-2014 Carrington Mortgage Services, LLC headquartered at 1610 E. Saint Andrew Place, Suite B150, Santa Ana, CA 92705. Toll Free (800)561-4567. NMLS ID 2600. Nationwide Mortgage Licensing System (NMLS) Consumer Access Web Site: www.nmlsconsumeraccess.org. AZ: Mortgage Banker BK-0910745; 2159 McCulloch Blvd 4, Lake Havasu City, AZ 86403. CA: Licensed by the Department of Business Oversight under the California Residential Mortgage Lending Act, File No. 413 0904. CO: Check the license status of your mortgage loan originator at http://www.dora.state.co.us/real-estate/index.htm. GA: Georgia Residential Mortgage Licensee 22721. IL: Illinois Residential Mortgage Licensee. MN: This is not an offer to enter into an interest rate lock agreement under Minnesota Law. MO: Residential Mortgage Broker License 09-1746-S. NH: Licensed by the New Hampshire Banking Department. NJ: Licensed by the N.J. Department of Banking and Insurance. NY: Licensed Mortgage Banker—NYS Department of Financial Services. New York Mortgage Banker License B500980/107664. OH: Ohio Mortgage Broker Act Mortgage Banker Exemption MBMB.850208.000 (FHA DE & VA Automatic loans only) OR: Mortgage Lender License ML-4886. PA: Licensed by the Department of Banking. RI: Rhode Island Licensed Lender, Lender License 20112809LL. VA: Licensed by the Virginia State Corporation Commission MC-5382. WA: Consumer Loan License CL-2600. Also licensed in AL, AR, CT, DE, DC, FL, ID, IN, ME, MD, MI, NM, NC, OK, SC, TN, TX, WV and WI. NOTICE: All loans are subject to credit, underwriting, and property approval guidelines. Offered loan products may vary by state. There is no guarantee that all borrowers will qualify. Restrictions may apply. This is not a commitment to lend. Terms, conditions, and programs are subject to change without notice. This information is for mortgage professionals only and is not intended for distribution to consumers. Carrington Mortgage Services is not acting on behalf of or at the direction of HUD/FHA or any office of the federal government. All rights reserved.
n National Mortgage Professional Magazine n APRIL 2014
Growing your business with the right partner has never been easier. Get started today with Carrington Mortgage Services.
At Carrington Mortgage Services, we are committed to meeting the financing needs of those who are underserved throughout America. We have loan programs specifically tailored to credit-challenged borrowers, so there’s no need to turn away those borrowers with low FICO scores. We are your government lender of choice with loan programs, service, technology and national support to grow your business today, tomorrow and beyond.
11
NationalMortgageProfessional.com
I strongly recommend that the management of a financial institution meet regularly with the chief information officer (CIO) or, in lieu of a CIO, the IT professional who is in charge of maintaining the institution’s systems. Furthermore, every CIO and IT professional should be fully versed in the requirements set forth in FFIEC’s booklets, Information Technology Handbook on Business Continuity Planning9 and Information Security.10 Another resource is the DDoS Quick Guide, dated Jan. 29, 2014, published by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.11 This Guide provides useful information on attack possibilities and traffic types. It should be shared with an institution’s IT department and the institution’s online banking and Web site service providers, if applicable. Finally, there are the publications such as National Institute of Standards and Technology’s12 “Special Publication 800-61,” the Computer Security Incident Handling Guide,13 which offers specific instructions for IT staff members to help implement incident response plans. Also helpful are the reference materials from the OCC, Distributed Denial of Service Attacks and Customer Account Fraud,14 the NCUA, Mitigating Distributed Denial-ofService Attacks,15 and the “Security Tip (ST04-015)” from the United States
Evidence of Data Breach,” Press Release, April 1, 2014. 3—Bloomberg News, Ellie Mae Technical Breakdown Prevents Mortgages From Closing, Heather Perlberg and Kathleen M. Howley (April 1, 2014): www.bloomberg.com/news/2014-0401/ellie-mae-technical-breakdown-preventsmortgages-from-closing.html. 4—Ellie Mae’s status page (04/03/14): www.elliemae.com/network-status. 5—Anderman, Sig, Encompass Incident Update from Ellie Mae, Encompass Incident Update, Ellie Mae, April 1, 2014: www.elliemae.com/encompass-incident-update. 6—Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, FFIEC, FIL-11-2014: www.fdic.gov/news/news/financial/2014/fil14011. html. 7—Idem. 8—Financial Services Information Sharing and Analysis Center (FS-ISAC): www.fsisac.com. 9—Information Technology Handbook on Business Continuity Planning: