Government-sponsored enterprise (GSE) Freddie Mac this week released an industry letter encouraging seller/servicers to take the accelerating pace of cybersecurity threats seriously, and to ensure that processes and tools are maintained to limit exposure to potential security risks.
“A record number of cybersecurity incidents against Seller/Servicers occurred in 2023,” the letter said. “These included incidents of social engineering (e.g., “phishing,” “spear phishing”) and installation of malware and ransomware. These incidents have resulted in business disruptions at the impacted Seller/Servicers and for Borrowers.”
Because of this increase in cybersecurity threats, “Seller/Servicers are required to maintain robust information security programs to prevent and limit the impact of such incidents,” the GSE said.
This includes reviewing and updating such systems on at least an annual basis, and incorporating emerging best practices that have become more standard after a series of high-profile cybersecurity incidents have rocked prominent companies in the housing industry.
“Given recent events and the increasingly sophisticated nature of these cybersecurity incidents, Seller/Servicers are encouraged to accelerate their program reviews to incorporate industry best practices and lessons learned from recent events,” the letter said. “We are reminding Seller/Servicers that they are obligated to report incidents as soon as possible, but no later than 48 hours after discovery.”
Freddie Mac also aims to remind seller/servicers about their obligations to “respond to Freddie Mac inquiries related to a cybersecurity incident and provide information regarding its scope, its containment and the Seller/Servicer’s resolution of any vulnerabilities to Freddie Mac’s satisfaction,” the letter said.
The GSE also advised that it is taking a critical look at its own reporting requirements in light of the current challenges.
“We are reviewing our Seller/Servicer information security requirements with the intent of enhancing our Counterparty Operational Risk Evaluation reviews of Seller/Servicer programs, refining reporting obligations by Seller/Servicers and increasing threat and incident monitoring using a variety of tools,” the letter explained.
The new verbiage from Freddie Mac comes as the housing industry has been hit by several prominent cybersecurity breaches in recent months. These include title companies like First American and Fidelity National Financial, and lenders/servicers including loanDepot and Mr. Cooper.
Last May, OneMain Financial was forced to pay $4.25 million to New York State’s Department of Financial Services (DFS) over purported lapses in its cybersecurity posture.