Fannie Mae Issues New and Updated Cybersecurity Requirements for Sellers and Servicers

March 11, 2025
Fannie Mae has issued an Information Security and Business Resiliency Supplement (the “Supplement”) which includes new and updated requirements related to information security, incident management and business resiliency for both sellers and servicers.  The Supplement consolidates requirements related to cybersecurity which were previously contained in the Selling Guide, Servicing Guide and Consolidated Technology Guide.  In […]

Fannie Mae has issued an Information Security and Business Resiliency Supplement (the “Supplement”) which includes new and updated requirements related to information security, incident management and business resiliency for both sellers and servicers.  The Supplement consolidates requirements related to cybersecurity which were previously contained in the Selling Guide, Servicing Guide and Consolidated Technology Guide. 

In the related announcements, Fannie Mae reminded sellers and servicers that they must report a Cybersecurity Incident to Fannie Mae no later than 36 hours after the incident is identified. A Cybersecurity Incident is defined as any of the following related to Confidential Information:

  • loss of;
  • accidental or unauthorized acquisition, use, modification, disclosure, deletion, or destruction of;
  • accidental or unauthorized access to;
  • circumvention, disabling, or deactivation of security measures protecting; or
  • occurrence affecting the confidentiality, integrity, or availability of.

Examples include one or more of the following:

  • Ransomware, regardless of potential impact to Confidential Information;
  • denial of service attack which may affect the delivery of the services to Fannie Mae, for avoidance of doubt this includes a distributed denial of service attack;
  • business e-mail compromise (BEC), regardless of potential impact to Confidential Information; and
  • Vulnerabilities that may affect the delivery of services or loans to or for Fannie Mae.

Sellers and servicers are encouraged to adopt the requirements immediately but must fully implement them no later than August 12, 2025.  The Supplement can be found by visiting Fannie Mae Information Security and Business Resiliency Supplement.

Sign up for news + updates

Expert insights and regulatory updates on RegTech, compliance management, and fair lending.

Recommended Resources

Propel™ by Asurity - Case Study: Proprietary LOS Integration

Find out why a top-ten mortgage lender with a proprietary loan origination system (LOS) needed to convert from a legacy document platform.

Goals Module Overview

Learn more about the Goals Module and its key monitoring and reporting features.

Reg+Tech Magazine Volume 2 Issue 1

Learn about the changes of state consumer protection and the responsibility of financial services institutions to pursue operational excellence and a culture of compliance.

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram