One spoofed wire instruction ends a closing.
Mortgage brokers sit at the center of a wire, a deadline, and a mountain of nonpublic personal information. GLBA Safeguards spells out the controls. We build and run them.
What a bad day actually costs a mortgage broker
A closing has a date on it. Rate locks expire, sellers have moving trucks booked, and buyers can lose earnest money if the deal slips. When a broker's email, loan origination system, or e-signature access goes down on closing day, the cost isn't measured in lost productivity — it's measured in deals that don't close. When an attacker compromises an inbox and inserts fraudulent wire instructions into that same closing, the cost is the wire itself, and wires rarely come back once they clear.
We wrote up exactly this scenario after responding to a business email compromise wire fraud attempt at a title company — the same closing-table dynamic mortgage brokers work in every day. The attacker didn't break any encryption. They watched a real email thread about a real closing and sent fake instructions at the moment the buyer was expecting real ones.
Why the GLBA Safeguards Rule applies to you
Mortgage brokers are financial institutions under the Gramm-Leach-Bliley Act, which puts you inside the FTC Safeguards Rule. The rule requires a written information security program: a designated qualified individual, access controls, encryption of nonpublic personal information (NPI) in transit and at rest, monitoring, employee training, vendor oversight, and a documented incident response plan. NMLS licensing layers state-specific recordkeeping on top of that. None of this is optional paperwork — it's the baseline an examiner or a plaintiff's attorney will check first after an incident.
NPI is the whole file: Social Security numbers, bank statements, pay stubs, tax returns, credit reports. It sits in your LOS, your email, and whatever shared drive your team actually uses day to day — which is exactly the gap a compliance audit we ran turned up: 23 files with “password” in the filename that actually contained credentials. Safeguards compliance isn't a policy document, it's whether that file exists in the first place.
The controls a Safeguards program actually runs on
Encryption at rest, multi-factor authentication, and monitored endpoints aren't line items on an audit checklist — they're what stops an incident from becoming a reportable breach. We've had a client's laptop stolen with customer data on it and only minutes to act before the thief could get online with it; an encrypted, remotely wipeable device is what turns that into a non-event instead of an NPI breach notification. And when an outgoing IT director locked every admin account on the way out and left 85 users dead in the water, the fix was emergency admin access restored through the RMM — in minutes, not after a ticket sat overnight.
Email is the other half of the exposure. Loan documents move by email, so a compromised endpoint or inbox is a direct path to NPI. We've cleaned browser-hijacking malware off 30 infected machines for one client, and walked another user through a flood of verification codes she never requested to tell spam from an actual account takeover in progress. A Safeguards program treats this kind of triage as a compliance control, not just a help desk ticket.
Fifteen minutes with Corey Watson — the person who wrote every report on this page — on your Safeguards program and your wire fraud controls.
Questions mortgage brokers ask
No call-for-pricing games. Full rates are on our pricing page.
See full pricing →What compliance rule applies to mortgage brokers?
The GLBA Safeguards Rule (enforced by the FTC) applies to mortgage brokers as financial institutions handling nonpublic personal information — Social Security numbers, bank statements, income documentation, credit reports. It requires a written information security program, access controls, encryption, monitoring, and an incident response plan. NMLS licensing adds state-level recordkeeping requirements on top of it.
Why are mortgage brokers a wire fraud target?
A closing involves a large wire transfer, a tight deadline, and multiple parties (broker, title company, buyer, lender) emailing each other about it. Attackers compromise one inbox, watch the closing timeline, then send spoofed wire instructions at the exact moment the buyer is expecting them. Once a wire clears to the attacker's account, it's rarely recoverable — which is why catching the fraud before the wire moves is the entire game.
What happens to a closing if our systems go down?
Closings are date-locked — rate locks expire, sellers walk, and buyers can lose earnest money if a closing slips. An outage that takes down email, your loan origination system, or e-signature access on closing day doesn't just cost you productivity, it can cost your client the deal. That's why our response times are <15 minutes on critical issues, not next-business-day.
Does NPI need to be encrypted at rest and in transit?
Yes. The GLBA Safeguards Rule requires encryption of customer information both in transit and at rest, unless your qualified individual determines infeasibility and approves compensating controls in writing. In practice, that means encrypted email for loan documents, encrypted drives on every laptop, and encrypted backups — not a shared folder with a password on the file.
Do you work with our loan origination system?
We secure and monitor the endpoints, network, and identity layer your LOS runs on or connects to — patching, access controls, email security, and backup — regardless of which LOS platform you use. We don't build or sell LOS software.
What does this cost?
Our base managed IT and security plan is $150 per user per month, minimum 3 users, month-to-month with no long-term contract. That includes 24/7 monitoring, endpoint detection and response, patch management, and email security — the controls a Safeguards program is built on. Compliance program builds are quoted separately.