Ginnie Mae remains dedicated to the security and integrity of all operational systems and critical technology infrastructure related to the issuance and servicing of Ginnie Mae Mortgage-Backed Securities (MBS). In support of these objectives, Ginnie Mae will be implementing Cybersecurity Incident reporting requirements. Effective immediately, Issuers, including those who subservice for others will be required to notify Ginnie Mae of a Significant Cybersecurity Incident, as described below.
A Significant Cybersecurity Incident (Cyber Incident), is an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement. The requirement to notify Ginnie Mae applies to all Issuers. Issuers who subservice for others must also notify Ginnie Mae when a Cyber Incident affects one or more of their subservicing clients.
Issuers must notify Ginnie Mae within 48 hours of detection that a Cyber Incident may have occurred. The notification must be sent to Ginnie Mae via email to: Ginnie_Mae_Cybersecurity_Incident@hud.gov and contain the following information:
- Date/time of Cyber Incident,
- A summary of the incident based on what is known at the time of notification,
- Designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.
Once the notification is received, representatives from Ginnie Mae will contact the designated point of contact to obtain additional information and establish the appropriate level of engagement needed depending on the scope and nature of the incident. Ginnie Mae is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.
Ginnie Mae has revised Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1 (MBS Guide), by adding Section C to reflect this new requirement. Additionally, the term Cybersecurity Incident has been added to the MBS Guide Glossary.
If you have any questions about the policy announced in this APM, please contact your Account Executive directly.