Fannie Mae’s New Security Rules: Is Your Business Ready?

Cyber threats are on the rise, and Fannie Mae isn’t taking any chances. With its new Information Security and Business Resiliency Supplement, Fannie Mae is requiring lenders and servicers to strengthen their cybersecurity measures and disaster recovery plans.

Mortgage lenders handle vast amounts of borrower data, making them prime targets for hackers. A single cyberattack can disrupt operations, compromise sensitive information, and lead to serious financial and legal consequences. That’s why Fannie Mae now requires strict security and business resiliency protocols—and failure to comply could put your business at risk.

Here’s what you need to know to stay ahead.

Cybersecurity: No Longer Optional Fannie Mae now requires all lenders and servicers to have a comprehensive Information Security Program that follows top industry standards, such as the NIST Cybersecurity Framework or ISO 27001. Key requirements include:

a) Multi-Factor Authentication (MFA) – Strengthening logins to prevent unauthorized access.

b) Access Controls – Limiting employee access to only the data they need.

c) Regular Security Assessments – Ensuring ongoing protection through annual reviews.

d) Vulnerability Management – Identifying and patching system weaknesses before they are exploited.

The mortgage industry has already seen an increase in ransomware attacks, data breaches, and phishing scams. With these new requirements, Fannie Mae is making it clear: lenders must take cybersecurity seriously or face consequences.

Business Continuity Planning: Be Ready for the Unexpected

Cyber threats aren’t the only risk. Natural disasters, vendor disruptions, and technology failures can cripple a mortgage business if there’s no plan in place. That’s why Fannie Mae is requiring lenders to maintain a Business Continuity Plan (BCP) and Disaster Recovery Procedures (DRP) to ensure smooth operations, no matter what happens. Your BCP must include:

a) Backup Systems & Data Protection – Ensuring quick recovery in case of outages.

b) Crisis Management & Communication Plans – Keeping teams and borrowers informed.

c) Regular Testing & Updates – Plans must be reviewed and tested annually.

A well-prepared business can recover faster and minimize financial and reputational damage. Without a strong BCP, even a minor disruption could have major consequences.

The 36-Hour Cyber Incident Rule

If a lender experiences a cybersecurity incident, such as a data breach, ransomware attack, or unauthorized access to borrower information, they must report it to Fannie Mae within 36 hours.

Fannie Mae may take immediate action, such as:

a) Blocking system access to prevent further damage.

b) Requiring security attestations before restoring system connections.

c) Requesting investigation details to assess the extent of the breach.

This strict reporting rule highlights the urgency of cybersecurity readiness. A slow response could lead to business interruptions, financial penalties, and loss of trust from borrowers.

Why This Matters

While these new security and resiliency requirements may seem like a challenge, they also present an opportunity. Lenders who proactively strengthen their cybersecurity and business continuity plans can:

a) Reduce risk and avoid costly cyber incidents.

b) Increase borrower trust by demonstrating strong security measures.

c) Ensure compliance with Fannie Mae’s evolving requirements.

The mortgage industry is facing a digital security wake-up call, and Fannie Mae is leading the charge. The question is: Will your business be ready?

Source: https://www.fanniemae.com/media/54736/display