According to Statistics Canada, businesses within the Finance and insurance and Real estate and rental and leasing industries experienced an increase in cybersecurity incidents of 9.5 per cent and 6.7 per cent, respectively, between 2019 and 2020.
Cybersecurity questions and responses
In the 2021 Annual Information Return (AIR), FSRA asked licensed mortgage brokerages and administrators two general questions pertaining to cybersecurity:
- Does the brokerage/administrator have cybersecurity Policies and Procedures in place?
- Does the brokerage have cybersecurity insurance?
74.6 per cent of brokerages and 57.7 per cent of administrators reported having written policies and procedures to address cybersecurity. When compared to Canadian businesses in general, 18% of businesses had written policies in place to manage cybersecurity risks or to report cybersecurity incidents in 2019.
42.4 per cent of brokerages and 85.4 per cent of administrators reported having cybersecurity insurance in their 2021 AIR. In comparison to business in general, 17 per cent of Canadian businesses reported having insurance policies to protect against cybersecurity risks and threats.
When looking at the two questions in conjunction, 77.3 per cent of brokerages and 87.8 per cent of administrators reported having policies and procedures to address cybersecurity and/or cybersecurity insurance coverage.
In 2021, four mortgage brokerages reported a cybersecurity incident where a data breach occurred. Two of these brokerages had production volumes over $1 billion each and indicated that they had over 1,000 clients in their respective databases. The incidents included compromised agent e-mail accounts resulting in spam being sent and attempts to access systems and manipulate the funding of a mortgage.
It is important to recognize that cyber threats are a growing risk for everyone, including the mortgage brokering sector. Managing this risk proactively helps protect against attacks that seek to compromise or steal electronic information.
Cybersecurity incidents happen to businesses of all sizes. Should a security event occur, it could pose reputational risk or temporarily impact the ability to conduct business if systems are compromised.