Mortgage Broker is the magazine of the Canadian Mortgage Brokers Association and showcases the multi-billion dollar mortgage-broking industry to all levels of government, associated organizations and other interested individuals.
Issue link: http://digital.canadawide.com/i/842412
CmB magazine cmba-achc.ca spring 2017 | 59 M any Canadian small- and mid-sized enterprises ("SMEs") appear to be operating on Cloud 9 when it comes to data and privacy security. It's understandable. Business owners no longer need to worry about purchasing and maintaining servers; they can outsource data storage to cloud providers for a fraction of the cost. Mortgage lenders can focus on serving customers, investors and mortgage brokers while someone else takes care of "their" data and information. Who Is Responsible? e Personal Information Protection and Electronic Documents Act ("PIPEDA") states that companies are required to protect the data and information that they collect. erefore, it is ultimately your firm that is responsible for protecting the data and information you receive from individuals and companies. It does not matter if you store data with a third party; you are required to safeguard that data. Whether you're a broker or a lender, you should always take care to review the agreements you have in place with data storage providers and IT sub-contractors. (You should also ensure that storage of the data with your chosen provider does not violate provincial or federal protection of privacy requirements, particularly as to the location of the storage facility.) Do your service providers indemnify your organization if your data is compromised while in their care and domain? In most cases the answer is "no". Lenders Are Data Companies e comment I hear most oen when speaking with owners of mortgage brokerages and lenders about their data security and privacy risk is that they do not believe they actually have much of a risk. However, mortgage- related businesses collect employment information, income figures, tax information, addresses, emails, date of birth, driver's licence, etc. e data security risk exposure is even higher for those lenders with a related company registered as an exempt market dealer because they hold personal financial information on the investors in the mortgage fund. Cyber security experts would classify mortgage lenders as high-risk targets for data the. e personal information you collect, when conglomerated with other data, becomes very valuable. Cyber criminals are oen trying to create profiles of us in order to sell the data on the dark web; it is a $300-billon industry. The Privacy Laws Are Changing e rules under the Digital Privacy Act (DPA) are expected to become more stringent in the next few months as new requirements for mandatory notification of a privacy breach come into force. Currently, Alberta is the only province with mandatory reporting for private sector organizations to notify individuals of "loss or unauthorized access to or disclosure of personal information" when there is a "real risk of significant harm." e new federal legislation will likely have a very broad definition of "significant harm". Mortgage lenders need to understand their risk exposure if they are required to notify every affected individual in their database. e cost will certainly be more than $100 per record, but the big risk is lawsuits. When individuals are notified, it just takes one of them to contact a lawyer experienced in launching class-action privacy lawsuits. How Do You Prepare? 1. Education: IT costs are climbing quickly for most firms so spending more on IT security can be prohibitive. erefore, the biggest bang for your buck is training. e costs are low; the investment in this case is time and effort. However, the cost of ignoring training is high. Explain to employees why certain policies and procedures are in place, and why it is important they be followed. 2. Security Audit: Hire a third-party firm specializing in network security and privacy audits to come in and audit your systems, premises, policies and practices. ey will make recommendations that are oen easy and inexpensive to implement that can dramatically improve your risk profile. 3. Cyber Insurance: Unfortunately, education, robust IT security systems and an audit from a security firm cannot guarantee you will be spared a breach, so work with your insurance broker to quantify your risk and see if financing some of this risk with a Cyber Insurance policy makes sense. Derrick Leue is the President of PROLINK Insurance. Contact PROLINK to learn more about their Cyber Insurance program for lenders. ey can be reached at 800-663-6828 or derrickl@prolink.insure (Cyber) Security