A new policy requiring issuers and document custodians of Ginnie Mae mortgage-backed securities to notify the corporation within 48 hours of detecting “significant” cybersecurity incidents will present considerable compliance challenges, the American Bankers Association and two associations said Wednesday in a joint letter. The associations instead urged Ginnie Mae to align its notification standards with existing regulatory cyber incident reporting requirements.
Ginnie Mae this year issued two “all participant memorandums,” or APMs, establishing the new notification requirements, which require issuers and document custodians to report the date and time of the incident, a summary of what happened and a point of contact for the corporation. The new policy was part of a larger push by the Federal Housing Administration to require lenders and servicers to report cyber incidents to housing agencies.
In their letter, the associations said the Ginnie Mae APMs have an impractical “significant cybersecurity incident” definition with exceptionally low thresholds for reporting. They also said the requirements are inconsistent with several ongoing government cyber regulatory harmonization efforts, including work by the Cyber Incident Reporting Council to coordinate federal incident reporting requirements.
“Introducing a new requirement with distinct thresholds and timeframes for reporting will further complicate an already complex regulatory landscape,” the associations said. “In fact, according to a recent survey of large financial institutions, firm cyber teams now spend as much as 70% of their time on regulatory compliance matters. Therefore, an uncoordinated approach to regulatory reporting requirements is not without consequence and leaves cyber professionals with less time for the core security activities that are essential to effectively managing the organization’s cyber risk.”
