KUALA LUMPUR (May 18): The recent global ransomware attacks highlight the importance of robust information technology (IT) security in loan servicers' operational risk frameworks, according to Fitch Ratings.
In a statement on its website yesterday, the ratings agency said because servicers rely on technology, the robustness of IT security, disaster recovery and business resumption plans are an important part of Fitch's servicer assessments.
“The fast pace of technological developments creates opportunities for improved efficiency and greater control of servicing activities.
“The unprecedented scale of the recent attacks, which took place in more than 150 countries, underscores that technology also brings significant risks if the potential threats to data security develop faster than companies' ability to mitigate them,” it said.
Fitch said it considers regular security threat testing to be best practice.
It said that in those instances where a servicer's IT infrastructure is provided by third-party suppliers, Fitch expects the servicer to demonstrate appropriate oversight, including verifying that the third party maintains adequate security.
Fitch said it also monitors IT staffing and ongoing technology hardware and software enhancements.
“Our servicer operational reviews consider management's information technology strategies, the experience of the technology staff and timeliness of updates and enhancements.
“Signs of a decreasing focus on maintaining a robust infrastructure could indicate increased continuity risk. Fitch also reviews the servicer's approach to data security to assess whether the policies and controls in place enable effective protection of borrower information,” it said.
Fitch said servicers it rated demonstrate appropriate and regular risk assessments and robust security policies.
The ratings agency said it contacted all rated loan servicers following the ransomware attacks to confirm whether or not there had been any loss of confidential borrower information and/or disruption to servicing activities.
“So far, we have received confirmation from all servicers in Europe, Middle East and Africa (EMEA) and for those responsible for commercial mortgages in North America that their operations have not been affected. This is also the case for the residential servicers in North America that have responded so far.
“A number of servicers we contacted indicated that additional security steps were taken in response to the attacks. This is consistent with our view that Fitch-rated servicers should have appropriate plans in place to maintain critical systems which might come under threat from an emergency,” it said.