Ginnie Mae adds cyber security notification requirement

Ginnie Mae is directing all issuers to report cybersecurity incidents promptly when they occur and noted that it's more broadly reviewing its protocols in this area.

The government mortgage-backed securities guarantor said in an all-participants memorandum that it needs incidents reported within 48 hours and has specific instructions for subservicers, who must report when a concern affects one or more of their clients. 

Ginnie has set up an email for notification at Ginnie_Mae_Cybersecurity_Incident@hud.gov. Issuers must provide the time and date of the concern, a summary based on the most current information known and a designated point of contact prepared for follow-up inquiries.

"Prompt and clear communication is critical to managing cybersecurity events as they unfold. This new requirement is an important step in further enhancing our cybersecurity framework to meet current and future needs," said Ginnie Mae President Alanna McCargo in a press release.

Ginnie is particularly concerned about incidents that have "the potential to directly or indirectly impact that issuer's ability to meet its obligations under the terms of the guaranty agreement."

It defines a cybersecurity incident as "any unauthorized access to, or use, disclosure, alternation, transfer, or destruction of confidential information or nonpublic personal information."

Ginnie has previously issued some ad hoc notifications about incidents, such as one issued late last year noting that a cyberattack at Mr. Cooper and a related temporary system shutdown affected some loan-pool factor calculations.

Multiple servicers have been bedeviled by cyberattacks and nonbanks in particular are facing growing responsibility to report larger ones under Federal Trade Commission rules set to go into effect on April 27. The FTC's rule will require notification within 30 days of awareness of a breach if unauthorized parties gain access to unencrypted data from 500 or more people.

Some mortgage companies have been pushing back against the degree of public disclosure of these incidents in court after facing a wave of cybersecurity-related litigation. 

Recently, Bayview Asset Management and some of its servicing subsidiaries challenged some plaintiffs' disclosures in such a lawsuit on the basis that it contained information the two parties had agreed earlier would be protected and confidential.

Other mortgage-related companies that recently have reported cybersecurity incidents and faced litigations include Fidelity National Financial, Loandepot, Keybank and Flagstar (the latter of which is now owned by New York Community Bank.)

Ginnie Mae guarantees payments to MBS investors from mortgages in collateral pools, which other government agencies such as the Federal Housing Administration or the Department of Veterans Affairs provide some backing for at the loan levels. The FHA and Ginnie are both arms of the Department of Housing and Urban Development.

The VA has been working to improve its general cybersecurity since information from 46,000 people accessing its systems for healthcare-related reasons was exposed in a cyberattack back in 2020. That incident led to the Strengthening VA Cybersecurity Act of 2022.

The Government Accountability Office has issued a series of cybersecurity recommendations to the VA in recent years that the department has made some progress on implementing, according to a report last year.