Aug. 17: Letters on the importance of hiring through referrals, and ransomware & cybersecurity

Today’s commentary focuses on two unrelated items that lenders, investors, and vendors spend, or should spend, a lot of energy on: hiring practices, and cybersecurity. How you find personnel can be as important as who you hire. And remember that “punched in the gut” feeling you had in school when you opened your locker and someone had stolen all your books? The stakes are a lot higher now. Shrugging and saying, “IT will take care of it,” while you have your passwords on a yellow sticky note on your computer isn’t the correct response.


Lenders are rightfully concerned about cybersecurity & ransomware, and how employees are the biggest single weakness. Companies, either through their own IT departments or consultants, often send phishing emails to employees with benign links to click on that result in employees being warned, training in classes, or even termination. And many employees or borrowers have mistakenly wired out hundreds of thousands of dollars to “title companies” for a funding, only to find that the instructions were false and the money vanished. And data privacy for individuals… is it a thing of the past? And how are lenders handling data storage? The first page of a 1003 in the wrong hands can ruin a person’s life.

On a larger, more public scale, Capital One’s news prompted Mitch Tanenbaum with CyberCecurity LLC to weigh in. “The Capital One breach is yet another reminder that putting your systems in the cloud does not absolve you of any liability or much responsibility. Capital One has already said that the breach is going to cost them in the neighborhood of $100-$150 million; I suspect it will be more in the end.

“One thing that could, possibly, help them is that they likely have a LARGE, comprehensive cyber risk insurance policy. Our experience is that many (most?) mortgage companies do not have one. In many cases the policy is an add on to a PL or E&O policy and if it is, the coverage is likely very limited and would not help in this case.

“One issue that mortgage company execs need to address, seriously, is data retention. I am not sure what the penalties in Canada are for violating PIPEDA, their national privacy law, but I think Canadian lawyers will be able to make a good case for Capital One violating this principle of PIPEDA: “Principle 5 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states that “personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous.” (see here).

“Mortgage companies and loan officers are committed packrats. They often say that they might need that loan information from 12 years ago. Let’s assume that is true, which I argue is not true, it doesn’t have to be spinning on the Internet. It could be in the basement on the hard disk (backed up offline) of a computer that is powered off except for that one hour a year that it needs to be on to retrieve that one document from twelve years ago. I remember when we used to review paper loan files and get rid of the forms we no longer needed. That doesn’t happen anymore. Software could automatically do this after two years (or whatever), so it is actually pretty inexpensive to do that after the initial software is written. But we have to get past the obsession of, ‘What if I need that 8 years from now?’ My answer to that is, ‘Is possibly needing that in 8 years’ worth $150 million to you?’ Just asking.

“More importantly, with Capital One it is not clear that the hacker exploited any vulnerability in the design of Amazon’s systems. In fact, Amazon is saying that she didn’t. Amazon, like every cloud provider, has a shared responsibility model. In Amazon’s case, it has created hundreds of documents describing what customers are responsible for doing (just check Google). Many other smaller cloud vendors have not done anywhere near as good a job of documenting this, which means that mortgage companies have to figure out more of the controls themselves. And yes, sometimes those controls require an extra step (for example, if you are licensed in New York, you ARE using multi-factor authentication to access this data as REQUIRED by DFS-500, right)?

“This is, in part, where your annual risk assessment comes in. I don’t mean the one that compliance does that checks whether your vendors are licensed and have liability insurance. I mean a real, typically third party, CYBER risk assessment. It is critical and actually required by many state laws. That is a starting point for figuring out the risk. If you are using Amazon’s AWS or Microsoft’s Azure, you have to do the hard work. If you do not have an AWS or Azure security expert on staff, you need to periodically bring one in to review your architecture and your implementation. This is not optional – unless you want to wind up like Capital One.

“What parent of multiple kids hasn’t heard, ‘It’s her fault!’ ‘No it’s not, it’s his fault!’? Who is responsible for Capital One’s massive breach earlier this week involving data stored on Amazon Web Services’ infrastructure? It was purloined by a 33-year-old former employee of the web services company. So, Amazon’s got some exposure in all of this, right? Not likely due to contract law. But where did it go wrong?

“We have seen a number of businesses that had to pay the ransom because of the amount of time they would be down recovering from their backups. Baltimore, for example, took weeks to recover and is, in some areas, still recovering. You need to have a recovery time objective and then test to see if you can actually meet that objective. That does not mean recovering one system. That means recovering your entire IT infrastructure from brand new bare metal hardware if that is required.

“You need to plan for this in advance. This is part of the disaster recovery and business continuity consulting that we do for mortgage companies. Even if you do it yourself, you need to create the policies, procedures and practices to implement this and then you need to test regularly. Putting stuff ‘in the cloud’ doesn’t solve this problem. Here is a recent blog post on one cloud provider who was down for two weeks, impacting every one of their customers, as a result of a ransomware attack.

“It is a huge problem and one that is only going to get worse as we move more stuff to the cloud. Do you remember the good old days when all we worried about was someone breaking into the office and stealing loan files? Those days are gone forever. Now we have to worry about 15-year-olds in Romania having access to your data. You have two choices: pay now or pay later. There is no option to pay never. Reputation is critical to every mortgage company. What will happen to yours if you are front page news due to a breach?” Thank you, Mitch!

Hiring through referrals

Lenders and vendors everywhere tell me that hiring the right people, and then onboarding/training them, is more important than ever. Few small companies offer formal training programs, and opt to find and hire experienced personnel – usually at the expense of others in the business. How do they find them in the first place?

Adam Consiglio, Managing Member of Consiglio-Mattei Executive Search Group LLC, writes, “It’s no secret: Employee referral programs can greatly help your organization find and hire top talent. After all, where best to find potential new employees than by tapping into current workers, who share your firm’s values and who are already helping you run a successful business? ‘Employee referral programs can be an effective way to hire talented people, and they can also be invaluable in the current talent acquisition environment, in which open jobs outnumber qualified candidates,’ according to SHRM. Securing talent through a strong employee referral program, however, doesn’t just help you hire strong new employees. It can also be a powerful tool to help you promote your employer brand.

“’These types of initiatives are extremely powerful tools that can help you promote your employer brand and attract strong talent into the recruiting process,’ says Kathryn Budd, director of human resources for MRI Network. ‘When applied consistently, employee referral programs can also be a great retention tool that translates into huge costs savings on recruitment and investment in employees over time.’”

Adam’s note goes to discuss what an effective employee program entails and how can you start one at your company? “1. Give employees the tools they need to refer: This can mean putting together a positive culture around employee referrals and being able to track these efficiently in an HR portal so that you can effectively review the entire referral workflow. 2. Set expectations and guidelines: Additionally, SHRM recommends that you should ‘make sure employees understand the referral program’s guidelines and expectations, including who is eligible to participate in the program and receive rewards for referrals.’ Also be sure to include EEOC language to make it clear that the referral program is not discriminatory in any way.

3. Provide incentives: To help boost employee support in referring all-star talent, you should ideally put into place monetary inducements (if someone gets hired and stays for a set period of time). Make sure these incentives are paid in a predictable, timely and public manner and. To facilitate this, HR staff should set up automated payments in their HR information system. Other guidelines to follow include holding leaders accountable and being transparent throughout the process with employees, providing feedback, and, importantly, marketing the program far and wide. This last guideline means investing in the marketing and communication plans to boost how many employees at your organization actually participate. This is extremely important when trying to promote your employer brand.

“But, how is the term defined? According to SHRM, employer branding ‘is an important part of the employee value proposition and is essentially what the organization communicates as its identity to both potential and current employees.’ Moreover, it includes many things about the company, including the ‘organization’s mission, values, culture and personality,’ according to SHRM. ‘A positive employer brand communicates that the organization is a good employer and a great place to work.’ Notably, the article also states that an employer brand greatly affects the ‘recruitment of new employees, retention and engagement of current employees, and the overall perception of the organization in the market.’

“So, what are the specific ways referral programs can help? First, a strong referral program, as noted above, includes clear expectations, guidelines and a powerful marketing plan of action. As a result of this communications push, employees will know in-depth how to speak with former co-workers and friends who they want to refer. This strong professionalism instantly makes your company look like a worthy organization and one that many will want to join because of this, leading to increased interest.

“Second, your company should be investing heavily in communications and online content in order to promote your employer brand on your website, social media platforms, public relations and through other promotional materials. As a result, people will covet the chance to be referred and interviewed because they’ll know even more about the company.

“’An employee referral program is a win-win situation for you and your organization,’ says Budd. ‘You’ll create both a powerful commitment to hiring the best people as well as an employer brand that truly shines.’ This will also signal to your firm’s clients and other external stakeholders that your organization has robust systems for attracting the talent that will drive performance, further establishing confidence in your products and services, and ultimately a more successful business.” Good summary Adam!

Today my daughter and I will be driving south through Ohio and into Kentucky. I told her that we’d better be careful about some of the Kentucky & Ohio laws.

In Lexington it is illegal to transport an ice cream cone in your pocket.

By law, anyone who has been drinking is “sober” until he or she “cannot hold onto the ground.”

It is illegal to have sex on a parked motorcycle in London, Kentucky. It’s all good as long as the bike is moving.

Any person who displays, handles or uses any kind of reptile in connection with any religious service or gathering shall be fined not less than fifty dollars ($50) nor more than one hundred dollars ($100).

In Canton, if you lose your pet tiger you must notify the authorities within one hour.

You cannot eat a doughnut and walk backwards on a city street in Marion.

Women are prohibited from wearing patent leather shoes in public.

Visit for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “Mortgage Rates: Thinking the Unthinkable.” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are hundreds of mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to Copyright 2019 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman