Ginnie Mae announces new cyber incident notification requirements

As home lending industry grapples with increased cyber risk, Ginnie adds new layer of protection

With the mortgage industry in the throes of months of cyberattacks, a proactive Ginnie Mae has announced new incident notification requirements for issuers of its mortgage-backed securities (MBS).

The government-owned mortgage corporation announced the new rule via an All Participants Memorandum (APM) sent out to lenders and other business partners. Effectively immediately, according to the APM, issuers must notify Ginnie Mae of a “significant cybersecurity incident” within 48 hours of detection.

Per Ginnie Mae, such an incident is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

The new requirement applies to all issuers; issuers who subservice for other companies are required to notify Ginnie Mae whether the incident affected their own portfolio and/or one or more subserviced portfolios.

The notification, which must be sent to Ginnie via email, must contain the date and time of the incident; a summary of the incident based on what’s known at the time of notification; and a point of contact. Once notified, Ginnie Mae representatives will reach out to the point of contact to gather information and “establish the level of engagement needed,” depending on the scope and nature of the incident.

“These Cybersecurity Incident Reporting requirements are an important part of managing cyber risk that could impact our program,” said Alanna McCargo, president of Ginnie Mae. “Prompt and clear communication is critical to managing cybersecurity events as they unfold. This new requirement is an important step in further enhancing our cybersecurity framework to meet current and future needs.”

Ginnie’s new requirements come as the mortgage industry continues to grapple with a monthslong string of destructive data breaches, some of which have cost lenders millions of dollars. Fairway announced last week that it was the victim of a December cyberattack, following similar breaches at Mr. Cooper, Fidelity National Financial, First American Financial Corp., and LoanDepot.


More Headlines