New Requirement:  Document Custodians Must Report Cybersecurity Incidents to Ginnie Mae

Earlier this year, Ginnie Mae established cybersecurity incident reporting requirements for issuers, including those who subservice for others.  Now, effective July 31, 2024, Ginnie Mae announced that Document Custodians are required to report such incidents. 

A Significant Cybersecurity Incident refers to an event that could: 

• Compromise the confidentiality (unauthorized access), integrity (alteration), or availability of information or systems.
• Violate or threaten to violate security protocols. 
• Potentially hinder the document custodian’s ability to meet their obligations under the Mortgage-Backed Securities Guide (appendix V-01). 

The report to Ginnie Mae must be sent by email to  Ginnie_Mae_Cybsersecurity_Incident@hud.gov and contain the following information:

• The date/time of the Cybersecurity Incident.
• A summary of the incident based on what is known at the time of notification.
• The designated points of contact who are responsible for coordinating any follow-up activities on behalf of the notifying party.