Alan Jaffa and Darren Kruk Discuss Building a Chain of Compliance

In its November issue, DSNews featured an article authored by Safeguard Properties CEO, Alan Jaffa, and Information Security Officer, Darren Kruk, titled Building a Chain of Compliance.

BUILDING A CHAIN OF COMPLIANCE

A layered approach maintains the integrity and strength of information security in the mortgage servicing industry.

There is an old proverb that says a chain is only as strong as the weakest link. This is true in the mortgage servicing industry when managing data security. Mortgage servicers, at the top of the chain, have systems and policies in place to protect private and confidential information at the highest levels.

In turn, servicers share certain information with their field service partners—the next link in the chain—when property preservation services are required to inspect and maintain vacant and defaulted properties. Those companies then provide access to data as required to other links in the chain—employees, inspectors, and contractors who monitor and perform services at those properties.

Every link in the chain must be equally strong in understanding and adhering to policies and procedures to protect the security and integrity of confidential information. Ongoing data security training is critical to ensure that every person who has access to sensitive information complies on a day-to-day basis with all applicable guidelines and requirements.

Those include the unique requirements of mortgage companies and their field service partners, as well as industry and regulatory guidelines of agencies such as the Consumer Financial Protection Bureau (CFPB), Fannie Mae, Freddie Mac, HUD, and the U.S. Department of Veterans Affairs (VA).

The challenge in protecting data through an entire chain of participants is that it becomes more difficult to ensure the confidentiality of data down each successive link. Small business contractors, for example, may not have the technical resources of a large mortgage servicer or national field service company but still must make sure the data they access is protected with the same vigilance. To ensure compliance, field services companies must not only educate their inspector and contractor networks on best practices for physical and information security, but they must also routinely monitor and audit them to ensure compliance.

Data asset management is a critical component of information security. Every company needs to understand the data it has collected, its classification, and how and where it is stored. Knowing the nature of this data is important for protection, and anyone who has access to confidential data should take appropriate measures to protect it.

Protecting Access and Passwords
Inspectors and contractors performing work at properties are granted limited access to field service and client systems that contain confidential information that they need to complete their work. All user names and passwords, as well as data housed on systems, must be kept confidential. This also applies to the inspectors’ and contractors’ own systems and accounts. IDs and passwords should not be shared or displayed in a public place.

As field servicing companies develop mobile applications to better service the needs of their clients, it becomes more important for inspectors and contractors to ensure their systems are secure.

People use computers and smartphones in almost every aspect of modern life. These devices, while they grant access to a variety of services and information, also can become coveted honeypots of information. If exploited, these devices can be susceptible to identity theft.

Inspector and contractor networks need to create complex passwords for all devices used in the office and in the field including computers, laptops, tablets, and smartphones. It also is important to change those passwords on a frequent basis to prevent attacks that may compromise accounts.

Anti-Virus and Firewall Programs
Most people understand the importance of anti-virus programs, especially those who have experienced the complications of a virus that has infected their computers or systems. Firewalls, while not as widely used, are just as important. These programs, when installed correctly, can help to prevent hackers from gaining access to systems, computers, files, and confidential data. They need to be renewed frequently with the latest virus definitions and firewall updates.

While keeping anti-virus software up-to-date, it is important to patch the operating system and programs, as well. There are new vulnerabilities that are discovered frequently within these programs and systems that may allow unwanted intruders to gain access to confidential data. The companies that create this software release security patches and updates to plug these holes. It is critical these systems are current, especially on mobile devices.

Encrypting Drives
Encryption is the process of encoding data in a way that hackers cannot read it, but that authorized parties can. It is critical for not only the hard drives on computers, but also the easy-to-use external thumb drives. In the event of a loss, the encrypted data that resides on these drives would be useless to hackers who may look to improperly use the information contained within them.

Many different programs can be used to encrypt drives and systems. These include Bitlocker (included with Windows OS) and True Crypt (which can be used to encrypt external and thumb drives), as well as whole drive encryption programs such as those made by CheckPointe and Sophos.

Shred, Shred, Shred
The importance of a good confetti-cut shredder to destroy confidential documents cannot be overstated. Strip-cut shredders are not effective because the remnants can be reconstituted too easily. Policies should be in place to shred all documents that contain confidential data of any type.

Once a business identifies the types of data that are confidential, anything written down or printed out containing that sensitive information needs to be shredded rather than tossed in a trash bin.

Often forgotten are post-its or other notepads. People use them for everything from taking down phone numbers and account numbers to even remembering passwords. They attempt to hide them where they think no one else will find them, such as under their computer monitors or keyboards, and as a result, they often forget to shred them. Anything with confidential or classified information must be shredded to ensure full data security.

Physical Security
In addition to securing systems and devices, all businesses need to be aware of potential physical security concerns. All access to business systems and buildings should be protected. This must include access by every person who enters a facility, from the guy delivering water to the technicians who work on computer systems. Every person who enters a facility must be viewed as a potential data security risk and should be assessed and controlled accordingly.

At the same time, it’s important to recognize the need for different levels of security control based on the potential risk that a vendor or service provider may pose. For example, a grass-cut vendor will require different levels of control than a technician who is repairing computers. The technician, who may have more access to data within a company’s systems, presents a greater risk and thus the company should work under tighter controls. Does the technician require a master password to access all data or just what he needs to fix? Does he work for a reputable vendor? These are the types of questions that should be addressed before systems vendors and technicians are called in to complete work.

Physical access to computer systems is another important consideration. Most people do not realize that passwords are not needed if someone has physical access to a system. There are alternate ways to remove or change passwords on everything from networking devices to operating systems if someone has physical access to those devices. This applies to backups of data and systems as well as to originals. All outside technicians or vendors need to be monitored while completing work. A trusted company employee should be at a system vendor’s side throughout his or her entire visit.

Communication Is Sacred
Field service companies need to continually remind their inspector and contractor networks that electronically transmitted communications must be protected. When communicating in person, it is easy to control the audience. This is not the case with electronic communication.

Every day and in every business, people send emails, text messages, and voicemails to others and have no idea who else may have access to these messages. These forms of communications must be secured so that confidential data does not become compromised.

To ensure the security of all electronic communications, any websites being viewed on company computers need to have a secure sockets layer (SSL) when confidential data is being transferred, and any email provider must use transport layer security (TLS). SSLs and TLS provide communication security over the Internet and allow for data and message confidentiality. Any data transfers should proceed only if these protections are in place.

Being cautious when relaying confidential information applies to phone conversations as well. It is critical to validate who is on the other end of the phone line before discussing any sensitive data.

Use Common Sense
Every situation concerning confidential client and property information needs to be evaluated to strengthen every link in the information and data chain. The process requires common sense, vigilance, and ongoing training to ensure that all guidelines, regulations, and best practices established by mortgage companies, regulators, and field service companies are followed.

Inspectors and contractors in the field need to be aware of potential security breaches and take the necessary precautions to keep all confidential data secure. It is everyone’s job to make sure that each link of the chain is as strong as possible.

Alan Jaffa is the CEO and Darren Kruk is the information security officer of Safeguard Properties, the largest mortgage field service company in the United States.

Please click here to view the article in PDF.

About Safeguard 
Safeguard Properties is the largest mortgage field services company in the U.S. Founded in 1990 by Robert Klein and based in Valley View, Ohio, the company inspects and maintains defaulted and foreclosed properties for mortgage servicers, lenders,  and other financial institutions. Safeguard employs approximately 1,700 people, in addition to a network of thousands of contractors nationally. Website: www.safeguardproperties.com.

x

CHIEF EXECUTIVE OFFICER

Alan Jaffa

Alan Jaffa is the chief executive officer for Safeguard, steering the company as the mortgage field services industry leader. He also serves on the board of advisors for SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Alan joined Safeguard in 1995, learning the business from the ground up. He was promoted to chief operating officer in 2002, and was named CEO in May 2010. His hands-on experience has given him unique insights as a leader to innovate, improve and strengthen Safeguard’s processes to assure that the company adheres to the highest standards of quality and customer service.

Under Alan’s leadership, Safeguard has grown significantly with strategies that have included new and expanded services, technology investments that deliver higher quality and greater efficiency to clients, and strategic acquisitions. He takes a team approach to process improvement, involving staff at all levels of the organization to address issues, brainstorm solutions, and identify new and better ways to serve clients.

In 2008, Alan was recognized by Crain’s Cleveland Business in its annual “40-Under-40” profile of young leaders. He also was named a NEO Ernst & Young Entrepreneur of the Year® finalist in 2013.

x

Chief Operating Officer

Michael Greenbaum

Michael Greenbaum is the chief operating officer for Safeguard. Mike has been instrumental in aligning operations to become more efficient, effective, and compliant with our ever-changing industry requirements. Mike has a proven track record of excellence, partnership and collaboration at Safeguard. Under Mike’s leadership, all operational departments of Safeguard have reviewed, updated and enhanced their business processes to maximize efficiency and improve quality control.

Mike joined Safeguard in July 2010 as vice president of REO and has continued to take on additional duties and responsibilities within the organization, including the role of vice president of operations in 2013 and then COO in 2015.

Mike built his business career in supply-chain management, operations, finance and marketing. He has held senior management and executive positions with Erico, a manufacturing company in Solon, Ohio; Accel, Inc., a packaging company in Lewis Center, Ohio; and McMaster-Carr, an industrial supply company in Aurora, Ohio.

Before entering the business world, Mike served in the U.S. Army, Ordinance Branch, and specialized in supply chain management. He is a distinguished graduate of West Point (U.S. Military Academy), where he majored in quantitative economics.

x

CHEIF INFORMATION OFFICER

George Mehok

George Mehok is the chief information officer for Safeguard. He is responsible for all strategic technology decisions, new systems deployments and data center operations supporting a national network of more than 10,000 mobile workers.

George has more than 20 years of leadership experience dedicated to high-growth companies in the mobile telecommunications and financial services industries, spanning startups to global industry leaders.

George played a senior role in the formation of Verizon Wireless, leading the IT product development and strategic planning team. He led the integration planning for the Verizon merger including: GTE, Vodafone-AirTouch, Bell Atlantic Mobile and PrimeCo.

As chief information officer at Revol Wireless, a VC-backed CDMA wireless communications network operator, George’s team implemented an integrated technology infrastructure and award-winning business intelligence platform.

George holds a bachelor’s degree in political science and economics from Eastern Michigan University and an M.B.A. from The Ohio State University. He is a board member of Akron University’s School of Business Center for Information Technology, in addition to an advisory board member for OHTec.

In 2013, George won the Crain’s Cleveland Business CIO of the Year award for his team’s work in completing a major acquisition and technology transformation at Safeguard. In 2015, George’s team was recognized by InformationWeek’s annual Elite 100 ranking of the most innovative U.S.-based users of business technology. The mobile inspection technology developed at Safeguard was selected as InformationWeek’s “One of the top 20 ideas to steal in 2015”.

x

General Counsel and Executive Vice President

Linda Erkkila, Esq.

Linda Erkkila is the general counsel and executive vice president for Safeguard, with oversight responsibilities for the legal, human resources, training, compliance and audit departments. Linda’s broad scope of oversight covers regulatory issues that impact Safeguard’s operations, pro-active risk mitigation, enterprise strategic planning, human capital and training initiatives, compliance and audit services, litigation and claims management, and counsel related to mergers, acquisition and joint ventures.

Linda’s oversight of the legal department along with multiple compliance and human capital focused departments assures that Safeguard’s strategic initiatives align with its resources, leverage opportunities across the company, and contemplate compliance mandates. Her practice spans almost 20 years, and Linda’s experience, both as outside and in-house counsel, covers a wide range of corporate matters, including regulatory disclosure, corporate governance compliance, risk assessment, executive compensation, litigation management, and merger and acquisition activity. Her experience at a former Fortune 500 financial institution during the subprime crisis helped develop Linda’s pro-active approach to change management during periods of heightened regulatory scrutiny.

Linda previously served as vice president and attorney for National City Corporation, as securities and corporate governance counsel for Agilysys Inc., and as an associate at Thompson Hine LLP. She earned her JD at Cleveland-Marshall College of Law. Linda holds a degree in economics from Miami University and an MBA. In 2017, Linda was named as both a “Woman of Influence” by HousingWire and as a “Leading Lady” by MReport.

x

Chief Financial Officer

Joe Iafigliola

Joe Iafigliola is the Chief Financial Officer for Safeguard. Joe is responsible for the Control, Quality Assurance, Business Development, Accounting & Information Security departments, and is a Managing Director of SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Joe has been in a wide variety of roles in finance, supply chain management, information systems development, and sales and marketing. His career includes senior positions with McMaster-Carr Supply Company, Newell/Rubbermaid, and Procter and Gamble.

Joe has an MBA from The Weatherhead School of Management at Case Western Reserve University, is a Certified Management Accountant (CMA), and holds a bachelor’s degree from The Ohio State University’s Honors Accounting program.

x

AVP, High Risk and Investor Compliance

Steve Meyer

Steve Meyer is the assistant vice president of high risk and investor compliance for Safeguard. In this role, Steve is responsible for managing our clients’ conveyance processes, Safeguard’s investor compliance team and developing our working relationships with cities and municipalities around the country. He also works directly with our clients in our many outreach efforts and he represents Safeguard at a number of industry conferences each year.

Steve joined Safeguard in 1998 as manager over the hazard claims team. He was instrumental in the development and creation of policies, procedures and operating protocol. Under Steve’s leadership, the department became one of the largest within Safeguard. In 2002, he assumed responsibility for the newly-formed high risk department, once again building its success. Steve was promoted to director over these two areas in 2007, and he was promoted to assistant vice president in 2012.

Prior to joining Safeguard, Steve spent 10 years within the insurance industry, holding a number of positions including multi-line property adjuster, branch claims supervisor, and multi-line and subrogation/litigation supervisor. Steve is a graduate of Grove City College.

x

AVP, Operations

Jennifer Jozity

Jennifer Jozity is the assistant vice president of operations, overseeing inspections, REO and property preservation for Safeguard. Jen ensures quality work is performed in the field and internally, to meet and exceed our clients’ expectations. Jen has demonstrated the ability to deliver consistent results in order audit and order management.  She will build upon these strengths in order to deliver this level of excellence in both REO and property preservation operations.

Jen joined Safeguard in 1997 and was promoted to director of inspections operations in 2009 and assistant vice president of inspections operations in 2012.

She graduated from Cleveland State University with a degree in business.

x

AVP, Finance

Jennifer Anspach

Jennifer Anspach is the assistant vice president of finance for Safeguard. She is responsible for the company’s national workforce of approximately 1,000 employees. She manages recruitment strategies, employee relations, training, personnel policies, retention, payroll and benefits programs. Additionally, Jennifer has oversight of the accounts receivable and loss functions formerly within the accounting department.

Jennifer joined the company in April 2009 as a manager of accounting and finance and a year later was promoted to director. She was named AVP of human capital in 2014. Prior to joining Safeguard, she held several management positions at OfficeMax and InkStop in both operations and finance.

Jennifer is a graduate of Youngstown State University. She was named a Crain’s Cleveland Business Archer Award finalist for HR Executive of the Year in 2017.

x

AVP, Application Architecture

Rick Moran

Rick Moran is the assistant vice president of application architecture for Safeguard. Rick is responsible for evolving the Safeguard IT systems. He leads the design of Safeguard’s enterprise application architecture. This includes Safeguard’s real-time integration with other systems, vendors and clients; the future upgrade roadmap for systems; and standards designed to meet availability, security, performance and goals.

Rick has been with Safeguard since 2011. During that time, he has led the system upgrades necessary to support Safeguard’s growth. In addition, Rick’s team has designed and implemented several innovative systems.

Prior to joining Safeguard, Rick was director of enterprise architecture at Revol Wireless, a privately held CDMA Wireless provider in Ohio and Indiana, and operated his own consulting firm providing services to the manufacturing, telecommunications, and energy sectors.

x

AVP, Technology Infrastructure and Cloud Services

Steve Machovina

Steve Machovina is the assistant vice president of technology infrastructure and cloud services for Safeguard. He is responsible for the overall management and design of Safeguard’s hybrid cloud infrastructure. He manages all technology engineering staff who support data centers, telecommunications, network, servers, storage, service monitoring, and disaster recovery.

Steve joined Safeguard in November 2013 as director of information technology operations.

Prior to joining Safeguard, Steve was vice president of information technology at Revol Wireless, a privately held wireless provider in Ohio and Indiana. He also held management positions with Northcoast PCS and Corecomm Communications, and spent nine years as a Coast Guard officer and pilot.

Steve holds a BBA in management information systems from Kent State University in Ohio and an MBA from Wayne State University in Michigan.

x

AVP, Mobile and Analytics

Jason Heckman

Jason Heckman is the assistant vice president of mobile and analytics for Safeguard. He is responsible for both Safeguard’s mobile development and strategy as well as the company’s data warehousing and business intelligence. Jason oversees the design, development and release of all Safeguard’s internally developed mobile applications. He also oversees the development and delivery of operational and analytical data technologies throughout the organization.

Jason joined Safeguard as manager of mobile in 2012. During that time he led the development and integration of Safeguard’s mobile applications across the company’s vendor network to provide real-time data from the field. In 2014, he was promoted to director of mobile applications and named assistant vice president in 2017.

Prior to joining Safeguard, Jason was the director of application development and business intelligence for Revol Wireless, a privately held wireless provider in Ohio and Indiana.

Jason holds a bachelor’s degree in business management from Case Western Reserve University in Ohio.

x

AVP, Business Development

Tim Rath

Tim Rath is the AVP of business development for Safeguard. He is responsible for developing innovative growth strategies for Safeguard and developing and overseeing potential partnerships, mergers and acquisitions.

Tim joined Safeguard in 2011 as project director and has filled numerous roles within Vendor Management, most recently serving as director of vendor management, a role he assumed in 2011.

Prior to Safeguard, Tim worked as director of supply chain at PartsSource Inc. in Aurora, Ohio, a provider of medical replacement parts, procurement solutions and healthcare supply chain management technology services. He also has held sales positions with Rexel, ComDoc, and Pier Associates, all based in Ohio.

Tim holds a degree in marketing and sales from The University of Akron in Akron, Ohio. He also earned his FAA Certified Commercial UAS (Drone) Pilot license in 2017.