Client Bulletin: August 19, 2022

Cenlar Appoints New Chairman of the Board

We’re excited to announce that Dave Applegate has been appointed Chairman of Cenlar’s Board of Directors.

Applegate has been a member of the board since 2020, and has more than 30 years of experience in residential real estate, mortgage banking and housing finance. He was previously the CEO for Common Securitization Solutions, LLC, a joint venture owned by Fannie Mae and Freddie Mac.

While at Common Securitization Solutions, he was responsible for building the technology and operations platform that allowed for the launch of the new Uniform Mortgage Backed Security (UMBS). The UMBS are now second only to U.S. Treasuries in worldwide trading.

Applegate also has been CEO of industry-leading organizations including Homeward Residential, Radian Mortgage Insurance and GMAC Mortgage and Bank. He has served on numerous boards, including Fannie Mae Advisory Board, the Board of the Federal Home Loan Bank of Pittsburgh, GMAC Real Estate, GMAC Mortgage, GMAC Bank (now Ally Bank) and Anthracite Capital, a Blackrock affiliate.

“Since I joined the board two years ago, I’ve seen a sincere commitment at Cenlar to investing in and continually improving the homeowner experience,” Dave said. “At Cenlar, people live our core values — Respect, Trust, Integrity and Caring — every day, and you can see it reflected in how dedicated employees are to providing the very best customer experience, each and every time. It’s rooted in a belief that our client partners’ homeowners should be treated as if they were our own.”

Updated Information for MOVEit Migration to the Cloud

Preparations for migrating MOVEit to the cloud in October are underway.

Please carefully read the instructions below to help us with testing in a few weeks, as much of the following information is new — including modified IP address instructions.

Contacting Cenlar

Any questions pertaining to preparing for or performing the migration to the new MOVEit environment should be directed to our migration technical support mailbox, MOVEitUpgrade@Cenlar.com.

Please contact your Client Manager only to indicate you have completed preparations for testing (whitelisting of IP addresses, etc.).

Whitelisting IP Addresses by Monday, August 29

Please update IP addresses for servers impacted by the MOVEit migration before Monday, Aug. 29 to ensure security protocols do not prevent you from testing and accessing the migrated environments.

The IP addresses you will need to use for the Disaster Recovery servers have changed. Please correct the following previously provided addresses and reference the Correct IP Address going forward. Any IP addresses provided for Disaster Recovery in July can be removed.

Server IP Address Previously
Provided in July
Correct IP Address
Disaster Recovery Transfer Server Outbound
Disaster Recovery Automation Server Inbound

If you have not done so already, you will also need to whitelist the following IP addresses:

Server Correct IP Address
Transfer Server Outbound
Automation Server Inbound

You also will need to allow the following ports and protocols in both Production and Disaster Recovery:

Transfer Servers Outbound (Production) and (Disaster Recovery)

Protocol Port
FTPS (FTP over SSL/TLS) 20021 to 20025

Automation Servers Inbound (Production) and (Disaster Recovery)

Protocol Port
SFTP/SCP, FTPS, HTTPS Specifically configured for your FTP host

You also will need to keep our old firewall rules active (, and during this transition in order to maintain access to the current production servers. We will reach out to you once we have confirmed the migration is complete and it is safe to deactivate the legacy IP address information.

MOVEit URLs and Domain Name Services (DNS) Advertised by Cenlar

Cenlar will transition the current sft.cennet.com legacy DNS name to the new MOVEit environment once we cutover beginning in October. If you access MOVEit via the sft.cennet.com URL today, you will continue to access MOVEit via the same sft.cennet.com URL after the migration.


We are asking that all clients perform testing in advance of the migration date. Testing capability is expected to be enabled in September.

A temporary URL is being created for you to test your access to the new MOVEit. This testing URL is sfttest2022.cennet.com. If your organization employs a web filtering service, appliance or software, you will need to contact your Web Filer Administrator to request that sfttest2022.cennet.com be whitelisted in the filter.

If you pull files from the MOVEit Transfer server, a Security Certificate will be provided to you to facilitate testing using the sfttest2022.cennet.com testing URL.

We will send you specific testing dates and instructions on how to test in a future communication.

We are looking forward to completing this migration, and thank you for assisting us as we continue to advance and evolve Cenlar’s technology. These efforts will enable us to better serve you and your homeowners.

Please share the information in this notice with your IT team. Thank you.

Exela Completes Cyber Incident Investigation

As you may recall, our lockbox/check processing vendor, Exela, experienced a cyber incident in late June that required it to shut down operations for several days. Exela, as part of its response, initiated an investigation led by a third-party forensics/cyber response team. We promised at that time to share the investigation’s findings as soon as we received them.

Now complete, the investigation found there was no evidence that any systems that host customer data were viewed or accessed during the incident, nor was there any evidence of activity, including exfiltration, on those systems.

The investigation also discovered:

  • The incident began on June 5, 2022 when the initial attack vector exploited a vulnerability in a web-based application on an internet-facing Exela system. This activity ended on June 19, 2022 when Exela discovered the issue and shut down its systems. This system then was isolated, and the vulnerability patched.
  • In shutting down its systems to contain potential threats, Exela effectively stopped all related malicious activity. There is no ongoing malicious activity from the threat actor on Exela’s systems after June 19, 2022.

Next Steps

Exela told us it continues to strengthen its security processes in line with guidance received from forensic experts and industry best practices.

Specifically, it has enacted a layered defense to protect against potential threats in the future. Components of this defense include:

  • Resetting user credentials across all domains and applications.
  • Segmenting its new environment from the old environment to help ensure the integrity of its restoration.
  • Deploying endpoint security software and industry-standard digital forensic and incident response tools across all compatible machines in Exela’s environment, which are actively monitored 24/7 by a security operations center.
  • Expanding existing capabilities to enhance its vulnerability and patch-management systems.
  • Continuing to improve email security utilizing email protection system controls, including by reducing attachment sizes, strengthening spam filters, increasing phishing simulations and implementing a zero-trust environment that maintains security requirements.
  • Enhancing remote VPN security.
  • Validating multifactor authentication requirement for all VPN users.
  • Decommissioning more than 500 servers incompatible with Exela’s new enhanced security requirements.

Exela also stated it intends to continue to review, assess and improve its security capabilities going forward.

Cenlar utilized its Cyber Incident Response playbook during the incident. The playbook allows Cenlar to conduct a prompt and coordinated response during any incident, in line with our established and exercised response plan and guided by our suite of cyber incident response documents.

Client Guidance on Document Custodian Information and
Original Documents

In order to assure we have correct document custodian information and avoid the loss or destruction of original loan documents, it’s critical that you follow the guidance listed below.

Changes to Document Custodian Information

  • Clients should provide Cenlar with updates regarding changes to document custodians. Clients must notify Cenlar of any changes to their document custodians either at the investor or loan level, including a change of address.
  • Cenlar will begin providing a Doc Custodian Client Report that will be distributed quarterly on the first day of each quarter. This report will provide clients with custodian information on record at Cenlar, so clients can perform a quarterly review of document custodian data. The first report will be distributed on Sept. 1, 2022 in order to assist in an initial review effort. The quarterly reporting will begin on Oct. 1, 2022.
  • Clients should submit all document custodian changes to investorconversionsdist@cenlar.com . We have updated the client support options matrix to include this email box. For new investors, please submit a completed Investor Setup Sheet, which contains document custodian setup information for new investors. Please note, the investor-level document custodian will appear on all loans for that investor. If there are loan-level differences, there are two additional loan-level data fields that can be used to store document custodian information to either override the investor-level data or provide custodian information for specific loan documents, if needed.

Original Documents

  • Clients should not send Cenlar original loan documents either at the time of loan boarding or upon liquidation, if they are being released by the client’s document custodian. Clients are responsible for managing their original documents. Only provide original documents when requested by Cenlar — for example, when needed for certain servicing functions such as default processing or loan satisfaction.
  • Cenlar does not store client original loan documents at liquidation, if they are being released by the client’s document custodian. Clients are responsible for managing their original loan documents held by the custodian.
  • Clients must notify their document custodians of all servicing transfers to ensure collateral is released to the new servicer.
  • Clients should instruct their third-party providers, such as closing agents and title companies, not send any original closing documents to Cenlar or to any of our third-party providers. We are experiencing significant volumes of documents being submitted to Assurant from title companies and closing agents that are using Assurant’s Florence, South Carolina address from transfer instructions/new loan instructions. Assurant is our vendor for insurance policies/claims only. Assurant attempts to return original documents to the sender or send to Cenlar’s Records Department. Cenlar is not responsible for original documents sent to Cenlar in error and not related to our servicing functions.

Reminder: Edits to New Loans Interface

In the May 20, 2022 Client Bulletin, we alerted you to several edits to our New Loans Interface (XML) requirements. In the coming weeks, if these new data requirements are not corrected and submitted properly into the system, the loans will not be accepted into our system.

Cenlar added, in June, the following new edits to loans boarded into the system: Missing PMI Primary Coverage Percent, Invalid PMI Guarantee Number and Invalid Bill Code. If the required data is missing, you will see a field displayed as a Warning.

If the data requirements for Missing PMI Primary Coverage Percent, Invalid PMI Guarantee Number and Invalid PMI Bill Code have not been corrected and submitted properly into the system, you will receive a field displaying Reject. Please note that this change means that any loans submitted without the necessary data as of Sept. 15, 2022 will not be accepted into the system, and you will be notified it has been rejected.

An Update with Cenlar Leadership on Sept. 8

Please save the date for the latest in our series of regular updates.

WHAT: Learn from Cenlar leadership about our recent accomplishments and areas of focus for the months ahead.

WHEN: Thursday, Sept. 8 at 3:30 p.m. ET

We will share information on how to dial-in in a future communication, closer to the date of the call.

Updates to Client Support Matrix

In addition to the new procedure for Doc Custodian changes [see Doc Custodian article above], we have made two additional adjustments to the Client Support Matrix:

  1. Tax-Multiple Parcels email box has been removed. Clients should submit multiple parcel tax info via CCM.
  2. The Investor Setup Form has been added to the Investor Reporting box.

If you have any questions, please reach out to your client manager.