Mortgage

Are You Ready? Fannie Mae’s Cybersecurity and Business Resiliency Requirements In Effect 8/12/25

The evolving threat landscape demands that we continuously evaluate and improve information security and business continuity practices. As such, Fannie Mae released new and updated requirements earlier this year through its Information Security and Business Resiliency Supplement (the “Supplement”). These requirements must be fully implemented by August 12, 2025, and they represent a significant step up in expectations for many lenders and servicers. Below we compile the key takeaways. Are you prepared to comply?

Why This Matters

Fannie Mae’s new requirements are not just about compliance; they’re about resilience and protecting your business, your borrowers, your employees, and the broader financial system. The requirements are robust, encompassing industry-leading frameworks, incident response plans, vulnerability management, comprehensive penetration testing, business continuity plans, reporting requirements, and more.  Even if you’re not a Fannie Mae approved seller or servicer, many of the requirements outlined below are considered best practices for creating a robust cybersecurity program and enabling the future of your business.

Key Cybersecurity Requirements

The Fannie Mae supplement outlines requirements in three key areas, including a comprehensive information security program, incident management and response, and business continuity and resiliency. There are many specific requirements in each key area, outlined below, with actionable recommendations from Richey May’s cybersecurity experts.

1. Comprehensive Information Security Program

• Adopt Industry Standards: Your program must align with recognized frameworks such as the NIST Cybersecurity Framework or ISO 27001. We recommend the NIST Cybersecurity Framework for mortgage companies.

• Implement Effective Access Controls: Lenders must limit access to sensitive data to only those employees who need it. This includes requirements around Human Resources onboarding processes, processes for all human and non-human user accounts, the ability to monitor and control access appropriately, and more.
  
  Service Accounts are a crucial part of your company’s IT ecosystem; however, when not managed properly, they pose a significant cybersecurity risk. Due to their elevated privilege, access to sensitive data, and system pervasiveness, service accounts are vulnerable and constitute a critical attack surface that needs to be managed. We recommend lenders assess their service-account risk and use a dynamic identity vulnerability and security platform, as a part of a robust security strategy.
  
• Complete Regular Security Assessments: Lenders must conduct annual reviews performed by an independent auditor or assessor to ensure ongoing protection.
  
  An annual assessment helps identify vulnerabilities in your infrastructure, evaluate the effectiveness of existing controls, and ensure ongoing compliance with regulations and third-party requirements. Beyond compliance, annual assessments offer a strategic advantage. The mortgage industry constantly evolves with new digital tools, platforms, and third-party integrations, which can introduce unforeseen risks. Regular evaluations allow lenders to adapt their cybersecurity strategies to emerging threats, assess the performance of their service providers, and verify that security policies remain aligned with business goals. By proactively identifying and addressing potential weaknesses, mortgage companies can minimize the risk of costly breaches, service disruptions, and reputational damage—protecting both their bottom line and their customers’ confidence.
  
  Lenders should also include and evaluate their compliance and associated business risk with the Supplement, as part of their annual internal audit risk assessment and three-year internal audit plan.
  
• Conduct Vulnerability Scanning & Penetration Testing: One of the most notable updates to this supplement includes a penetration test conducted by a third-party at least annually, along with a vulnerability management program including regular vulnerability scanning. A combination of both effective penetration testing and a strong vulnerability management program will help mortgage companies identify and patch system weaknesses before they are exploited.
  
  A strong vulnerability management program involves continuously identifying, assessing, prioritizing, and remediating weaknesses across an organization’s IT infrastructure. A vulnerability scan and a penetration test both help identify security issues and play important roles in your cybersecurity program, but they serve different purposes. A vulnerability scan is like a routine check-up that uses automated tools to quickly search for known weaknesses, such as outdated software or missing patches. It’s fast, broad, and good for identifying surface-level risks. While scanners detect known flaws, penetration testing simulates real-world attacks to actively exploit vulnerabilities to reveal their true risk and business impact. It’s more in-depth and hands-on, providing insights into how far an attacker might get and what the real-world impact could be. This hands-on approach validates security controls, exposes complex attack paths missed by automation, and strengthens defenses against advanced threats. Used together, they offer a fuller picture of your security posture.
  
  Different types of penetration testing offer unique insights. Internal testing evaluates what could happen if someone inside your organization (or a hacker who gained access) tried to move around your network and access sensitive information. External testing focuses on how your public-facing systems, like websites or email, stand up against outside threats trying to break in.  Web application testing checks websites and online tools for weak spots that could let someone steal data or gain unauthorized access. Together, these tests identify problems before the attackers do and give a clearer picture of how to strengthen your defenses. Mortgage companies should be familiar with the various types of penetration testing and implement the testing that is most relevant to your business.
  
  Refer to our blog for more expert tips on penetration testing.

2. Incident Management and Notification

• 36-Hour Reporting Rule: If you experience a cybersecurity incident—such as a data breach, ransomware attack, or unauthorized access to borrower information—you must report it to Fannie Mae within 36 hours of discovery. This is a tight reporting window when encountering a breach. Make sure your team is trained to perform during this breach with defined roles and responsibilities, including press, client, and internal communications, and legal considerations.

• Create an Incident Response (IR) Plan: Maintain a documented plan to detect, respond to, and recover from security incidents. Then make sure you test it and train your team. This is necessary to adhere to the 36-hour reporting rule.
  
  Performing table-top exercises with a cybersecurity expert will allow you to effectively define roles and responsibilities, document your response plan, then test the incident response plan in action to ensure you adhere to reporting rules and enable business continuity.  Learn more about testing and training here.

3. Business Continuity and Resiliency

• Business Continuity Plan (BCP)
  • Critical Processes: Identify and document business processes essential for continued operations, including those required under your agreements with Fannie Mae. Determine how long your mission-critical systems can be down before you cannot continue future operations, then work to meet those timelines. This timeline will guide critical decisions in the face of a breach and help your team prioritize the most impactful systems and processes.
  • Disaster Recovery Procedures: Ensure you can recover critical operations quickly, with backup systems and data protection in place, especially for the mission-critical systems noted above.
  • Crisis Management: Develop clear communication plans and points of contact for both internal teams and external partners. Clear communication plans and expectations during a crisis can make or break the recovery process, restoration procedures and down time for a business.
• Regular Testing and Updates
  • Annual Testing & Threat Risk Assessments: Test your BCP and disaster recovery procedures at least annually, or whenever major changes occur.
  • Threat Risk Assessments: Conduct annual assessments to evaluate emerging risks, and update your plans accordingly. Annual penetration tests performed by a third party are an integral component of business continuity and resiliency, reducing the downtime and cost of a breach. The IBM Cost of a Data Breach Report 2024 found that companies who perform offensive security testing typically reduce their cost of a breach by over $200,000.
• Third-Party Oversight
  • Vendor Management: There is much emphasis in the Supplement on managing third parties. It’s imperative that  your third-party vendors and service providers have robust business continuity and disaster recovery programs. If they don’t have a robust cybersecurity program in place to align with yours, they will create risk for your environment. Understanding the level of risk each vendor poses is imperative so you can manage and allocate resources appropriately to mitigate the risk. Read our comprehensive guide on third-party risk management to learn more.
  • Contingency Planning: Document contingencies for scenarios involving vendor failures or contract terminations.

What You Should Do Now

• Review and Update Policies: Ensure your information security and business continuity policies meet or exceed Fannie Mae’s new requirements.
• Prepare Your Team: Educate the leadership team and information security team members on the relevant regulations and protocols, especially incident response and reporting obligations.
• Conduct Assessments: Schedule your annual security assessments and penetration tests now to avoid last-minute scrambling at the end of the year.
• Test Your Business Continuity Plan: Run through your business continuity and disaster recovery plans to identify gaps and improve readiness. Hire cybersecurity experts to help you perform tabletop exercises to effectively test this plan and train team members.

The NYDFS Advantage

If you already operate in the state of New York and adhere to NYDFS, then you already have a program in place that will meet most of, but not all of, Fannie Mae’s standards. There are many similarities between the requirements that will give you a head start on meeting Fannie Mae’s requirements. For lenders who operate in many different states, the Richey May cyber experts will help you build a robust cybersecurity plan to fulfill all your various requirements and monitor for changes.

The Bottom Line

Fannie Mae’s new requirements are a call to action for mortgage lenders, sellers, and servicers. Compliance is not optional, and failure to meet these standards could put your business at risk. By adopting strong cybersecurity and business resiliency practices now, you’ll not only meet regulatory requirements but also protect your organization and your customers from the growing threat of cyberattacks and operational disruptions.

If you need help navigating these new requirements or want to ensure your policies and procedures meet expectations, reach out to our team of mortgage cybersecurity experts today at info@richeymay.com.