Independent security researcher Bob Diachenko recently announced his discovery of nearly 24 million financial and banking documents that had been leaked to the internet. A misconfigured database hosted by OpticsML, a software development firm that claims to have developed machine learning for residential mortgage lending, appears to be the source of the leak. The platform was designed to extract data from a variety of mortgage documents and aid in automating the indexing of that data with the goal of reducing the human labor element by 80%.


A recent report from cybersecurity firm CyberGRX found that in 2018, 63% of all data breaches had been linked back to third parties with direct access to the impacted firm’s data and/or technology resources. As the costs associated with data breaches continue to climb, increasing nearly 36% year-over-year, organizations should be focusing on ensuring that their third-party vendors and service providers have robust cybersecurity controls in place.


Third-party vendor and service provider risk is a cornerstone element for regulators, as both state and federal regulators require that firms validate the cybersecurity posture of their third-party vendors. The Consumer Financial Protection Bureau requires any covered entity to have a formally-documented risk management program in place for all high-risk and/or critical service providers. States such as Arizona, Colorado, Alabama, and New York all enacted new requirements in 2018 for lenders and financial services companies to validate that reasonable cybersecurity controls are in place with third-party service providers.


What is reasonable can vary based on the size of the organization as well as the type of data that the vendor has access to. But there are a number of critical items lenders should expect, including:

  • Encryption of data in transit
  • Encryption of data at rest
  • Robust access controls over the data
  • Multi-factor authentication for remote access
  • External third-party testing and reviews


This recent incident impacts nearly 46,000 loans that were originated by some of the largest US banks, including Wells Fargo, Citigroup, Capital One, as well as the Department of Housing and Urban Development. It only serves as an example of why third-party vendor risk is critical for all lenders, regardless of size. Companies need to ensure that the vendors they are doing business with are being good stewards of their customers’ information  ̶  especially since the lenders ultimately own the liability.