Mortgage

The Constantinople Strategy: Why Mortgage Banks Need More Than Just Cyber Insurance 

For more than 1,000 years, Constantinople stood as the gleaming capital of the Eastern Roman Empire, withstanding countless sieges and attacks. The city’s legendary defenses included massive triple-layered walls that towered more than 40-feet high and a giant iron chain that could be raised across the Golden Horn to prevent naval assaults. These comprehensive defenses made Constantinople virtually impenetrable. 

Until they weren’t. 

In 1453, Ottoman forces under Mehmed II arrived with something no previous attacker had possessed: massive bronze cannons capable of firing 1,200-pound stone balls that could shatter the once-impenetrable walls. After 53 days of bombardment, the city’s defenses—unchanged for centuries despite evolving threats—finally crumbled. 

History’s Lesson for Today’s Mortgage Industry 

This ancient story holds a powerful lesson for today’s mortgage lenders facing an evolving landscape of cyber threats. Like Constantinople’s defenders, many institutions rely on defenses that once seemed adequate but may not protect against modern attacks. And too many firms believe cyber insurance alone will save them if their defenses fail. 

They’re wrong. 

Recent sophisticated attacks against mortgage institutions have employed advanced tactics including supply chain compromises, zero-day exploits, and multi-stage ransomware deployments. These attacks bypass traditional security measures, exfiltrate sensitive borrower data, and encrypt critical systems. 

In several high-profile cases, these breaches have caused catastrophic business disruption—delaying loan closings by several weeks, preventing customers from accessing payment systems, and exposing personally identifiable information for millions of mortgage borrowers. 

The damages from these incidents extend far beyond what insurance alone can repair. 

The Unintended Consequence of Cyber Insurance 

Mortgage lenders understand risk management better than most. You wouldn’t underwrite a loan without thorough diligence, regardless of mortgage insurance coverage. Yet many firms take precisely this approach with cybersecurity on these important underwriting systems and processes: minimal security measures coupled with an insurance policy they hope will cover losses. 

This is the equivalent of approving loans with minimal underwriting standards simply because you have mortgage insurance. No responsible lender would do this because they know the consequences extend far beyond the financial losses insurance might cover. 

Mortgage lenders need cyber insurance, but cyber insurance is a part of an intelligent security strategy and not THE strategy. Be careful not to allow complacency to be the unintended consequence of investing in cybersecurity insurance. 

What Insurance Covers—And What It Doesn’t 

When attackers breach your systems, cyber insurance typically covers direct costs like: 

• Legal fees and settlements 

• Forensic investigations 

• Customer notification expenses 

• Credit monitoring services 

• Some business interruption losses 

• Ransom payments (though coverage is increasingly limited) 

What it doesn’t cover: 

• Lasting reputation damage that erodes client trust 

• Operational disruption beyond the coverage period 

• Regulatory scrutiny that may persist for years 

• Higher insurance premiums following a breach 

• Market share losses that may never recover 

The critical question for mortgage lenders isn’t whether your cyber insurance will pay out after an attack—it’s whether your business will remain crippled long after the insurance payments cease. 

The Underwriting Approach to Cybersecurity 

At Richey May, we believe mortgage lenders should approach cybersecurity the same way they approach underwriting a loan application: with deep due diligence, layered safeguards, and ongoing monitoring. 

Just as meticulous underwriting reduces risk in the mortgage origination process even when market conditions change, vigilant cybersecurity reduces breach risks even as threats evolve. And just as mortgage underwriting minimizes your risk, effective cybersecurity does the same, leading to more affordable and comprehensive cyber insurance. 

The most effective strategy combines: 

1. Comprehensive Security Architecture: Multiple defensive layers that protect both obvious and less apparent vulnerabilities 

2. Evolving Threat Adaptation: Regular security assessments and technology updates that address emerging threats 

3. Strategic Insurance Coverage: Policies that complement your security measures and provide appropriate financial protection 

The Real Cost of a Mortgage Industry Breach 

Recent mortgage industry data breaches illustrate the devastating impact beyond mere financial losses: 

• A breach at one firm exposed more than 2.5 million mortgage customer records, resulting in multiple class action lawsuits. The litigation expenses alone exceeded their insurance coverage by 40%. 

• A prominent insurance company suffered a security incident that occurred while they were still addressing remediation requirements from a previous breach. The second breach triggered regulatory penalties, significantly higher recovery costs, and almost immediately impacted their stock price. 

• A large company experienced a ransomware attack that resulted in nearly 20 million compromised customer records. The attackers used a sophisticated technique called “living off the land,” where they leveraged legitimate system tools to move laterally within the network, making the attack harder to detect. The incident required the company to rebuild their entire network infrastructure—a cost partially covered by insurance but with business disruption extending months beyond the coverage period. 

These are not isolated incidents. According to a recent survey, 57% of business leaders think cyberattacks are inevitable. The question isn’t if you’ll face an attack—it’s how prepared you’ll be when it happens. 

What Deep Experience Looks Like 

At Richey May, we’ve evolved beyond traditional “checklist compliance” approaches to cybersecurity. Our deep industry experience has taught us that effective protection requires seeing the big picture—understanding how all elements of your security posture, insurance coverage, and regulatory requirements fit together. 

We help mortgage lenders build multi-layered defenses that: 

• Cut cyber insurance premiums by up to 30% 

• Protect your reputation with customers and partners 

• Keep operations running even during attempted breaches 

• Stay ahead of new threats before they harm your business 

Unlike firms that simply check boxes, our team brings detective-like curiosity to identify patterns, gaps, and vulnerabilities others miss—areas hackers will exploit when they turn their attention to you. 

The Constantinople Strategy for Cybersecurity 

Constantinople’s defenders failed because they didn’t adapt their defenses to changing threats. Modern mortgage lenders face the same risk if they rely on outdated security approaches or believe insurance alone will save them. 

The Constantinople Strategy flips this scenario: Combine multiple defensive layers with the ability to adapt to new threats, backed by appropriate insurance coverage for scenarios you can’t fully prevent. 

This balanced approach not only reduces your vulnerability to attacks but also lowers your insurance costs—often saving more in premiums than you spend on additional security measures. 

Beyond Due Diligence 

When you’re protecting your company, not just your job, you need more than a checklist approach to cybersecurity and insurance. You need a strategic partner who can bring a holistic picture of your situation together, sniff out the vulnerabilities, and set them right. 

At Richey May, that’s what deep experience looks like. 

Contact our cybersecurity team today to schedule a complete assessment that will strengthen your defenses and cut your insurance premiums. Remember: the best time to strengthen your walls is before the cannons arrive.