Fannie Mae has issued an Information Security and Business Resiliency Supplement (the “Supplement”) which includes new and updated requirements related to information security, incident management and business resiliency for both sellers and servicers.  The Supplement consolidates requirements related to cybersecurity which were previously contained in the Selling Guide, Servicing Guide and Consolidated Technology Guide. 

In the related announcements, Fannie Mae reminded sellers and servicers that they must report a Cybersecurity Incident to Fannie Mae no later than 36 hours after the incident is identified. A Cybersecurity Incident is defined as any of the following related to Confidential Information:

• loss of;
• accidental or unauthorized acquisition, use, modification, disclosure, deletion, or destruction of;
• accidental or unauthorized access to;
• circumvention, disabling, or deactivation of security measures protecting; or
• occurrence affecting the confidentiality, integrity, or availability of.

Examples include one or more of the following:

• Ransomware, regardless of potential impact to Confidential Information;
• denial of service attack which may affect the delivery of the services to Fannie Mae, for avoidance of doubt this includes a distributed denial of service attack;
• business e-mail compromise (BEC), regardless of potential impact to Confidential Information; and
• Vulnerabilities that may affect the delivery of services or loans to or for Fannie Mae.

Sellers and servicers are encouraged to adopt the requirements immediately but must fully implement them no later than August 12, 2025.  The Supplement can be found by visiting Fannie Mae Information Security and Business Resiliency Supplement.