– Freddie Mac released an industry letter urging seller/servicers to take cybersecurity threats seriously and maintain processes and tools to limit exposure to risks.
– The letter highlighted a record number of cybersecurity incidents against seller/servicers in 2023, including social engineering, malware, and ransomware attacks.
– Seller/servicers are required to have robust information security programs and regularly review and update their systems.
– Freddie Mac encouraged seller/servicers to accelerate their program reviews, incorporate industry best practices, and report incidents as soon as possible.
– Seller/servicers have obligations to respond to Freddie Mac inquiries related to cybersecurity incidents and provide information regarding their scope, containment, and resolution of vulnerabilities.
– Freddie Mac is reviewing its own reporting requirements and enhancing its Counterparty Operational Risk Evaluation and threat and incident monitoring.
– The housing industry has experienced prominent cybersecurity breaches, including title companies and lenders/servicers.
– OneMain Financial was fined $4.25 million for cybersecurity lapses.
Government-sponsored enterprise (GSE) Freddie Mac this week released an industry letter encouraging seller/servicers to take the accelerating pace of cybersecurity threats seriously, and to ensure that processes and tools are maintained to limit exposure to potential security risks.
“A record number of cybersecurity incidents against Seller/Servicers occurred in 2023,” the letter said. “These included incidents of social engineering (e.g., “phishing,” “spear phishing”) and installation of malware and ransomware. These incidents have resulted in business disruptions at the impacted Seller/Servicers and for Borrowers.”
Because of this increase in cybersecurity threats, “Seller/Servicers are required to maintain robust information security programs to prevent and limit the impact of such incidents,” the GSE said.
This includes reviewing and updating such systems on at least an annual basis, and incorporating emerging best practices that have become more standard after a series of high-profile cybersecurity incidents have rocked prominent companies in the housing industry.
“Given recent events and the increasingly sophisticated nature of these cybersecurity incidents, Seller/Servicers are encouraged to accelerate their program reviews to incorporate industry best practices and lessons learned from recent events,” the letter said. “We are reminding Seller/Servicers that they are obligated to report incidents as soon as possible, but no later than 48 hours after discovery.”
Freddie Mac also aims to remind seller/servicers about their obligations to “respond to Freddie Mac inquiries related to a cybersecurity incident and provide information regarding its scope, its containment and the Seller/Servicer’s resolution of any vulnerabilities to Freddie Mac’s satisfaction,” the letter said.
The GSE also advised that it is taking a critical look at its own reporting requirements in light of the current challenges.
“We are reviewing our Seller/Servicer information security requirements with the intent of enhancing our Counterparty Operational Risk Evaluation reviews of Seller/Servicer programs, refining reporting obligations by Seller/Servicers and increasing threat and incident monitoring using a variety of tools,” the letter explained.
The new verbiage from Freddie Mac comes as the housing industry has been hit by several prominent cybersecurity breaches in recent months. These include title companies like First American and Fidelity National Financial, and lenders/servicers including loanDepot and Mr. Cooper.
Last May, OneMain Financial was forced to pay $4.25 million to New York State’s Department of Financial Services (DFS) over purported lapses in its cybersecurity posture.
Property Chomp’s Take:
In recent years, the importance of cybersecurity has become increasingly apparent in various industries, including the housing industry. Government-sponsored enterprise Freddie Mac has released an industry letter emphasizing the need for seller/servicers to prioritize cybersecurity and take measures to mitigate potential security risks.
The letter highlights that there has been a significant increase in cybersecurity incidents against Seller/Servicers, including social engineering attacks like phishing and spear-phishing, as well as malware and ransomware installations. These incidents have not only disrupted the business operations of the impacted Seller/Servicers but have also affected borrowers.
To combat these threats, Freddie Mac states that Seller/Servicers must maintain robust information security programs. They should review and update their systems at least annually and incorporate emerging best practices. The letter emphasizes the importance of accelerating program reviews to include industry best practices and lessons learned from recent events. Additionally, Seller/Servicers must report incidents as soon as possible, within 48 hours of discovery.
Freddie Mac also reminds seller/servicers of their obligation to respond to inquiries related to a cybersecurity incident and provide information regarding the scope, containment, and resolution of any vulnerabilities to Freddie Mac’s satisfaction.
Recognizing the challenges posed by cybersecurity, Freddie Mac is reviewing its own reporting requirements and intends to enhance its Counterparty Operational Risk Evaluation reviews of Seller/Servicer programs. They also plan to refine reporting obligations for Seller/Servicers and increase threat and incident monitoring using various tools.
The housing industry has witnessed several high-profile cybersecurity breaches in recent months. Title companies like First American and Fidelity National Financial, as well as lenders/servicers such as loanDepot and Mr. Cooper, have been targeted. These incidents highlight the urgent need for robust cybersecurity measures in the industry.
OneMain Financial’s case serves as a reminder of the potential consequences of inadequate cybersecurity measures. The company was required to pay a hefty sum of $4.25 million to New York State’s Department of Financial Services over lapses in their cybersecurity posture.
In conclusion, the