Ginnie Mae remains dedicated to the security and integrity of all operational systems and critical technology infrastructure related to the issuance and servicing of Ginnie Mae Mortgage-Backed Securities (MBS). In support of these objectives, Ginnie Mae will be implementing Cybersecurity Incident reporting requirements. Effective immediately, Document Custodians will be required to notify Ginnie Mae of a Significant Cybersecurity Incident, as described below.
A Significant Cybersecurity Incident (Cyber Incident), is an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Document Custodian’s ability to meet its obligations as required by Appendix V-01—Document Custodian Manual in the Mortgage-Backed Securities Guide (MBS Guide). The requirement to notify Ginnie Mae applies to all Document Custodians.
Document Custodians must notify Ginnie Mae within 48 hours of detection that a Cyber Incident may have occurred. The notification must be sent to Ginnie Mae via email to: Ginnie_Mae_Cybersecurity_Incident@hud.gov and contain the following information: - Date/time of Cyber Incident,
- A summary of the incident based on what is known at the time of notification,
- Designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.
Once the notification is received, representatives from Ginnie Mae will contact the designated point of contact to obtain additional information and establish the appropriate level of engagement needed depending on the scope and nature of the incident. Ginnie Mae is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.
If you have any questions about the policy announced in this APM, please contact your Account Executive directly.
|