Adrian Johnson
TLDR:
- Ginnie Mae now requires issuers to report cybersecurity incidents promptly within 48 hours.
- Issuers must provide specific information and a designated point of contact for follow-up inquiries.
In a recent development, Ginnie Mae has added a new cyber security notification requirement for all issuers. The government mortgage-backed securities guarantor is now directing issuers to report cybersecurity incidents promptly within 48 hours of occurrence. There are specific instructions for subservicers as well, who must report if a concern affects one or more of their clients. Ginnie has set up an email for notification and requires issuers to provide detailed information such as the time and date of the concern, a summary of the incident, and a designated point of contact for inquiries.
Key Points:
Ginnie Mae requires prompt reporting of cybersecurity incidents with specific information provided within 48 hours.
Subservicers must report any concerns affecting their clients.
Ginnie Mae defines a cybersecurity incident as any unauthorized access to confidential information or nonpublic personal information.
Multiple mortgage companies, including Mr. Cooper and Fidelity National Financial, have faced cyberattacks and litigations.
The Federal Trade Commission rule will require notification within 30 days of a breach affecting 500 or more individuals.
