Most mortgage companies assume their systems are backed up. But many lenders don’t actually control their own mortgage backup strategy. Here’s why it matters.
Servers are replicated. Microsoft 365 is “in the cloud.” The LOS vendor says data is protected. IT sends a report that backups completed successfully.
But here’s the uncomfortable question:
Who actually owns the backup strategy?
In many organizations, the answer is: no one internally.
Many lenders also assume they control their LOS data simply because they can access it inside the system. In reality, data access and data control are very different concepts, which I explored in more detail in Who Really Controls Your LOS Data?
The Illusion of Protection
Mortgage companies often rely on:
LOS vendor backups
Microsoft 365 native retention
A third-party MSP running Veeam or Datto
Cloud storage replication
All of those are components of protection.
None of them, by themselves, represent ownership.
If you cannot clearly answer the following, you don’t own your backup strategy:
Where is your data physically stored?
How quickly can you restore a full environment?
Who has encryption keys?
What is your tested recovery time objective (RTO)?
Have you performed a full restoration test in the last 12 months?
Backup success emails are not a recovery plan.
Vendor Backups vs. Business Continuity
LOS providers back up their infrastructure. That does not mean:
You can retrieve historical loan data on demand
You can extract data in a litigation-ready format
You control retention timelines
You can restore outside of their platform
Microsoft 365 retains data within its ecosystem. That is not the same as maintaining an independent, business-controlled archive.
True ownership means:
You control a copy of critical data
You understand your retention requirements
You can restore without asking permission
You have documented recovery procedures
The Compliance Reality
Mortgage companies operate in a regulated environment. Examiners don’t ask:
“Did your vendor say they back it up?”
They ask:
Show me your disaster recovery documentation.
When was it last tested?
Where is your offsite copy?
Who signs off on backup integrity?
If the answer depends on a vendor portal login, you don’t control the risk.
What Ownership Looks Like
Owning your backup strategy means:
Defined data classifications (LOS, email, file shares, accounting, etc.)
Independent backups for critical systems
Encryption with controlled key management
Annual documented recovery testing
Executive visibility into RTO/RPO metrics
A documented exit strategy from every major vendor
It is not about distrust.
It is about control.
Final Thought
Your LOS data is one of your company’s most valuable assets.
If your backup strategy depends entirely on someone else’s infrastructure, policies, or financial stability — you are renting security, not owning it.
In mortgage banking, that is a risk worth evaluating.
