Everyone Owns Cyber Risk: Shared Responsibility in Mortgage Cybersecurity

Written By Kevin Robinson

Since cybersecurity is set of risk management techniques to protect the security of systems and privacy of information, then breaking these organizational systems down can complicate who owns cyber risk.  Every other business risk has a direct owner:

 

  • Oversight risk?  Board.

  • Strategic risk?  CEO.

  • Finance risk? CFO.

  • Operational risk? COO.

  • Legal risk? GC.

  • Compliance risk? GC, Outside counsel, and/or Compliance.

  • Human risk? HR.

 

But cyber cuts across all organizational lines.  Technical.  People.  Operational.  So, coming back to our question: who owns cyber risk?  Everyone.

 

That is right, everyone is responsible for cyber risk.

 

Yes, the CISO (Chief Information Security Officer, or other designated official) leads the effort.  But technology protects systems externally and internally.  And other technology can identify gaps and potential vulnerabilities. 

 

But cyber risks affect every other business risk.

 

Cyber affects…

  • Oversight risk if the Board does not have proper cybersecurity expertise;

  • Strategic risk if a corporate course is embarked upon without cyber engagement or IP is leaked to competitors;

  • Financial risk through ransomware extortion and other threats;

  • Operational risk with failed supply chain, corrupted data, etc.

  • Legal risk through leaked sensitive information;

  • Compliance risk through not adhering to the increasing security and privacy regulation scrutiny;

  • Human risk from leaked information, employee burnout from response, insider threats from bad employees, etc.

 

Cybersecurity is as much a cultural mindset of an organization as a specific program.  A strong cybersecurity organizational culture encourages any employee to question something not correct or report something wrong without consequence.  Cybersecurity is everyone’s responsibility.  Everyone owns cyber risk.

 

Kevin Robinson, CISSP, QTE, Associate C|CISO, is Head of Cybersecurity Services for The Commonwealth Group.  He has a 20 year career in cybersecurity, risk assessment, intelligence and counterintelligence.  His previous employers include Thornburg Investment Management, Los Alamos National Laboratory, L3Harris, and the Central Intelligence Agency. 

Kevin Robinson
Previous

Why Quality Control is the Unsung Hero of the Mortgage Industry
Next

HUD Proposes Rescinding Disparate Impact Rule: Impacts for Mortgage Lenders 2026