Ginnie Mae has announced the implementation of new Cybersecurity Incident reporting requirements in All Participants Memorandum (APM) 24-02. These requirements are part of Ginnie Mae’s continued commitment to the security and integrity of all operational systems and critical technology infrastructure related to the issuance and servicing of Ginnie Mae Mortgage-Backed Securities (MBS).
A breach in cybersecurity
Through APM 24-02: Cybersecurity Incident Notification Requirement, issuers must notify Ginnie Mae of a cyber security incident within 48 hours of detection. A Cybersecurity Incident is defined as any unauthorized access to, or use, disclosure, alteration, transfer, or destruction of, confidential information or non-public personal information (NPI) that may impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement. Issuers who subservice for others are required to notify Ginnie Mae whether the incident occurred to their own portfolio, and/or one or more subserviced portfolios.
Once the notification is received, representatives from Ginnie Mae will contact the designated point of contact to obtain additional information and establish the level of engagement needed depending on the scope and nature of the incident.
Risk management in the 21st Century
“These Cybersecurity Incident Reporting requirements are an important part of managing cyber risk that could impact our program,” said Ginnie Mae President Alanna McCargo. “Prompt and clear communication is critical to managing cybersecurity events as they unfold. This new requirement is a crucial step in further enhancing our cybersecurity framework to meet current and future needs.”
Ginnie Mae’s new Cybersecurity Incident APM is part of its comprehensive approach to augmenting its cybersecurity protocols, with the intent of further refining its organization-wide information security, business continuity and reporting requirements.
Upping the ante on security
Ginne Mae issuing APM 24-02 comes just weeks after loanDepot reported that it fell victim of a cyber attack on January 8. In a release on the incident, loanDepot reported that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems. The company has notified these individuals and offered credit monitoring and identity protection services at no cost to them.
“Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared. We sincerely regret any impact to our customers,” said loanDepot CEO Frank Martell. “The entire loanDepot team has worked tirelessly throughout this incident to support our customers, our partners and each other. I am pleased by our progress in quickly bringing our systems back online and restoring normal business operations.”
The loanDepot incident was just the first in a string of cybersecurity and ransomware attacks to plague the mortgage finance industry.
In December, title insurance and settlement services provider First American Financial Corporation reported that the operations of several of its subsidiaries were disrupted by a cyberattack. First American went as far as taking email systems offline and warned customers to be aware of potentially malicious emails purporting to come from the company.
In November, Fidelity National Financial (FNF) had its systems knocked offline for nearly a week due to a ransomware attack that included a data breach. The ransomware operators stole data from the compromised systems to use as leverage against the victim. In a Form 8-K, FNF said it notified applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers by the attack.
And last October, Mr. Cooper Group experienced a cyber incident in which an unauthorized third-party gained access to the company’s systems. Upon detection, the company-initiated response protocols, launched an investigation with the assistance of cybersecurity experts to determine the nature and scope of the incident, and contacted law enforcement. Mr. Cooper also made the decision to shut down systems to contain the incident, and in an effort to protect customer information. Mr. Cooper identified that files containing personal information were obtained by an unauthorized party.
“We take our role as a mortgage company very seriously, and there is nothing more important to us than maintaining our customers’ trust,” said Jay Bray, Chairman and CEO, Mr. Cooper Group of the incident. “I want you to know how sorry I am for any concern or frustration this may have caused. Making the homeownership journey as smooth as possible is our top priority, and we intend to make this right for our customers.”
