Experts call ‘tech debt’ a significant cyber vulnerability

From left: Jason Doshi, CEO and co-founder of, Marianne Bailey, partner at Guidehouse, and Rick Hill, vice president of industry technology at the Mortgage Bankers Association, speak Tuesday, May 17, at the MBA’s Secondary and Capital Markets Conference and Expo in New York City.

Andrew Martinez

Mortgage firms facing pervasive cyberthreats may be overlooking a significant vulnerability in their aging technology.

Companies both large and small are running older computer systems that are not secure, an issue professionals called “tech debt” on Tuesday in New York City during a panel at the Mortgage Bankers Association’s Secondary Markets Conference. The problem is complicated by the difficult decision firms face in either building or purchasing their own tech stack of loan origination and sales software.

“In order to build that entire tech stack in-house, really not only is it costly but things are moving so fast by the time you’re done working on your pricing system your (Point of Sale) may now be out of date,” said Jason Doshi, CEO and co-founder of, a firm which facilitates digital fund transfers. “Implementing a technology stack, you know, it’s a decision of buy versus build.”

On-premise systems are extremely outdated, Doshi said, because they require physical downloads of patches versus cloud software, which is consistently updated. Companies also have to ensure updates are implemented company-wide rather than just at their headquarters. Experts have suggested keeping current with software patches can significantly reduce risk.

Mortgage firms digitizing their operations typically direct capital infusions to software development, but also often rely on multiple third-party providers such as fintechs for services, which experts say increases a company’s risk profile. Further complicating the matter is the cost of cybersecurity itself, which can be difficult for smaller firms already beset by declining industry revenues.

“I worry as we go forward both from the vendor side but also smaller financial institutions that the cost to protect themselves is so high that they can’t really stay in business,” said Rick Hill, vice president of industry technology at the MBA.

Cybercrime damages in general were expected to total an astronomical $6 trillion in 2021, according to Cybersecurity Ventures. While an approximate dollar impact of cybercrimes on the mortgage industry isn’t available, ransomware has been especially devastating, with lenders, servicers and title firms recently reporting data breaches affecting a combined hundreds of thousands of customers.

Experts Tuesday also reiterated the importance of caution regarding potential cyberattacks from Russian-based criminals seeking funds in the wake of economic sanctions, and referenced a Russian-speaking cybercriminal gang’s recent claim of responsibility for an attack on the Costa Rican government. No mortgage data breach has been directly tied to Russian-based cybercriminals, but industry professionals previously suggested attacks are likely to come.

“People don’t realize that t. has been a low level of cyber war for decades,” said Marianne Bailey, a partner at cybersecurity firm Guidehouse. “They’re getting into everything. They’re very sophisticated. They know a lot of corporations better than the corporations do themselves.”