The Intermediary –- June 2026 - Flipbook - Page 40
Cyber criminals are often
less interested in the size of an
organisation than the value
Paul Walton, general manager at SBS, says:
"Institutions that haven't updated their threat
model alongside their service model are carrying
more risk than they realise.
“The fraud picture with decentralised
models is more nuanced than it might first
of the data it holds. Mortgage
appear. There are benefits to removing a single
brokers, by nature, routinely
controlled environments face a higher risk of
handle highly sensitive
personal, financial and identity
information, making them
attractive targets regardless of
their headcount”
point of failure, but staff operating in less-
social engineering.
"A broker completing a mortgage application
at a customer's home, for instance, is outside the
normal oversight of a branch environment, and
that context can be exploited, whether that's
a third-party present during the interaction,
pressure to skip verification steps, or a customer
who has already been coached by a fraudster
before the appointment.”
He adds: “For firms working through this, the
priority needs to be ensuring that mobile and
sharing and automation between multiple
tablet-based interactions are held to the same
platforms. However, they also represent attractive
security standard as those that take place in a
targets for bad actors.
fixed location.”
McKenna notes: "We recently conducted a
simple test by placing an API on the internet
The small firm dilemma
with no fanfare or prior notification.
Awareness of risk has, of course, improved across
"Within 24 hours, it had been probed
hundreds of times for weaknesses by actors from
multiple regions.
“When attackers compromise an API or
increasingly mainstream, informing firms’ wider
compliance discussions and strategic planning.
integration, they can extract vast amounts of data
Yet, while understanding of the threat is growing,
or gain deeper access to internal systems, often
preparedness still remains uneven.
very quickly.”
As firms become increasingly reliant on
third-party suppliers and technology partners,
For larger organisations, dedicated security
teams and sophisticated monitoring tools are
often built into day-to-day operations. Smaller
cyber resilience is no longer confined to an
firms, however, frequently find themselves facing
organisation's own systems.
enterprise-level risks with fewer resources.
Now, vulnerabilities can emerge anywhere
across the broader ecosystem.
As a spokesperson for UK Finance
McKenna believes this disparity remains one
of the industry's biggest challenges, adding: "We
see some highly capable organisations taking
warns: "Third-party suppliers can introduce
a proactive approach to resilience and data
vulnerabilities, so firms need strong security
protection. However, the smaller the business,
standards across their supply chains to identify
the less likely these measures are to be prioritised
and mitigate risk.
or formally established."
"Intermediaries handling large sums and
This is not necessarily a reflection of
sensitive client data are particularly attractive
complacency. For many smaller brokers,
targets for criminals and should ensure their
competing priorities and limited budgets
controls are proportionate to the risks they face.”
can make cybersecurity investments difficult
The same principle is increasingly relevant
as customer interactions become more
decentralised. Over the past two decades,
financial services has steadily migrated away from
to justify, particularly when the threat feels
somewhat abstract.
Yet cyber criminals are often less interested
in the size of an organisation than the value of
the traditional branch model towards online
the data it holds. Mortgage brokers, by nature,
banking and remote customer engagement.
routinely handle highly sensitive personal,
Where protection once relied heavily on
physical, fixed infrastructure, firms, lenders and
brokers alike are now expected to deliver the
same level of security across online portals.
38
the intermediary market. Conversations that may
once have been confined to IT departments are
The Intermediary | June 2026
financial and identity information, making them
attractive targets regardless of their headcount.
As a result, attitudes towards cyber risk are
beginning to shift. Howes believes there is a
