Skip to main content

A Focus On: Cybersecurity

Client Partners A Focus On: Cybersecurity

Never trust, always verify.

As headlines throughout 2023 have shown, when it comes to cybersecurity, you can never be too careful. After all, cyber threats are always out there — and they’re always evolving.

No organization is immune to these dangers, and as the leading mortgage loan subservicer, Cenlar fully understands the security implications of existing and emerging cyber threats. Security is our top priority, to protect our own operations as well as our clients and their homeowners.

At Cenlar, we use a new security model that provides intelligence-driven cyber defense to disrupt cyberattacks and more efficiently respond to cyber incidents. The program aligns to federal regulations, state privacy laws, regulatory guidance and industry best practices, and has been designed to comply with Federal Financial Institutions Examination Council (FFIEC) cybersecurity standards. It more effectively adapts to the complexities of the business environment, embraces hybrid work and protects systems and sensitive data wherever they’re located.

The bottom line: Our daily mission is protect our operations from the constant threats posed so that we can service loans and protect the data of our clients and their homeowners.

It all starts with the industry-best security strategy principles called “Zero Trust” — verify explicitly, use least privilege access and always assume a breach has occurred. These principles shape our everyday servicing operations and technology and disaster planning, including how we address threats. They are prioritized in the way we handle client data and are the cornerstone of our account controls, our compliance audits and the certifications we offer our clients.

Verify explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification and anomalies.

Use least-privilege access
Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies and data protection to help secure both data and productivity.

Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection and improve defenses.

As Cenlar’s Chief Information Security Officer (CISO), I lead the organization’s Information Security program. Under my direction, the Corporate Security Office (CSO) manages cybersecurity risk to enable business, technology and security outcomes that:

  • Identify opportunities
  • Capture value
  • Adapt to the dynamic business environment

CSO assists to ensure that sufficient staffing, processes and technology are in place for Cenlar management to properly identify, assess, control, monitor and report cybersecurity risk. This includes:

  • Information Security policies, procedures, standards and guidelines
  • Identity governance
  • Cybersecurity and cyber resilience
  • The management of operational, compliance and strategic risk associated with cybersecurity

Cenlar employs a dedicated team of full-time security professionals. They are tasked with:

  • Maintaining our cyber defense systems
  • Developing security review processes
  • Maintaining secure infrastructure
  • Implementing the company’s security policies.

The team actively scans for security threats using commercial tools, manages annual penetration tests and software security reviews.

Together with the Board of Directors and Cenlar executive management, the CSO has encouraged the development of a security-focused culture at Cenlar. To ensure the success of that culture, phishing simulations are regularly conducted, security audits are performed routinely at Cenlar, including internal audits and external audits conducted by independent third-party vendors. Since Cenlar is a federally chartered bank, Cenlar is subject to the requirements of the OCC on cyber matters, including examinations.

Responding to a Cyber Incident

Of course, organizations also have to be prepared for a scenario when a cyber incident unfortunately occurs.

Cyber incident response is a key aspect of Cenlar’s overall information security program. We have an established process for managing cyber incidents that specifies actions, escalations, mitigation, resolution and notification of any potential incidents impacting business operations or affecting the confidentiality, integrity or availability of customer and client data.

Cenlar’s Cyber Incident Response Team (CIRT), led by me, is made up of a cross-functional team of Cenlar senior leaders and managers who can leverage industry experts, through our cyber insurance carrier, across specialized functions to ensure each response is well-tailored to the challenges presented by each incident. The CIRT follows the industry-standard incident response lifecycle that comes from The National Institute of Standards and Technology, or NIST.

And our plan and playbooks are reviewed and exercised at least annually.

Following the successful remediation and resolution of a data incident, the incident response team evaluates the lessons learned from the incident. If follow-up work is required, the incident response team develops an action plan to complete that work and assigns project managers to spearhead the long-term effort.

Living in a Dynamic World

Our program at Cenlar, rooted in FFIEC guidelines and aligned to the NIST Cybersecurity Framework, incorporates industry best practices for cybersecurity. Our goal is to allow our cybersecurity vision, guidance and governance to drive business, technology and security outcomes at the organization, managing risk while adapting to the dynamic business environment.

It’s not an easy job, but as we’ve found out this year, it’s a job that’s more necessary than ever.

Chief Information Security Officer Jason Shockey has more than 20 years of experience in IT and global cybersecurity operations, specializing in governance, risk management, compliance, IT operations, architecture, software engineering and incident response. Before joining Cenlar, Jason was the CISO for Cyberpoint International. In addition to his work in the private sector, Shockey has an extensive background in leading cybersecurity efforts for the U.S. Marine Corps and partnering with the intelligence community. He directed and guided cybersecurity operations, infrastructure development and software engineering for Marine Corps Forces Cyberspace Command at Ft. Meade, Maryland. He led national level operations for the Cyber National Mission Force at Ft. Meade, and served as a special liaison to the National Cyber Investigative Joint Task Force. He was selected by the Commander of U.S. Cyber Command to lead high performance teams consisting of world class cyber experts, scientists, engineers and national level defensive cyber professionals to characterize risk associated with unattributed, global emerging cyber threats.