As of January 1, 2026, Freddie Mac’s enhanced information security requirements are now in effect, representing a significant evolution in Freddie Mac cybersecurity requirements for mortgage lenders and servicers. Released in October 2025 through Bulletin 2025-13, these updates establish the most complete security standards Freddie Mac has mandated to date.
If you haven’t achieved full compliance with Freddie Mac’s updated requirements yet, understanding what’s required and how to move forward intelligently can help you close these gaps efficiently.
These new requirements apply to any organization that stores, accesses, processes, or transmits Freddie Mac confidential information or Protected Information, or connects to Freddie Mac systems. Two requirements deserve particular attention:
- Independent penetration testing, and
- Incident response preparedness.
Both require annual execution and thorough documentation, and both serve as opportunities to fortify your security posture beyond basic compliance.
Why These Requirements Matter
Freddie Mac’s updated requirements reflect what we’re seeing across the industry: mortgage companies handle extraordinarily sensitive consumer data in an environment where cyberattacks grow more sophisticated daily. A single breach can expose thousands of borrowers’ personal financial information, trigger regulatory consequences, and disrupt operations for extended periods.
What makes these requirements valuable is that they push organizations beyond checkbox compliance toward genuine resilience. When implemented thoughtfully, independent penetration testing reveals vulnerabilities before attackers do. Tested incident response plans ensure your team can coordinate effectively under pressure. The regulatory requirement becomes the catalyst for building capabilities that protect your business long-term.
1. Independent Penetration Testing: What’s Required
One of the most significant additions is the mandate for annual penetration testing by an independent third party. Let’s clarify what this means in practice.
What Qualifies as Independent Penetration Testing?
Section 1302.2(b)(xi) of the updated guide specifies that both sellers and servicers must engage a qualified and independent third party to conduct penetration testing at least annually on systems handling Freddie Mac information or connecting to Freddie Mac systems. The executive summary of the penetration test report must be available for Freddie Mac review.
The “independent” requirement is crucial: internal IT teams, regardless of skill level, can’t fulfill this mandate. You’ll need to engage a qualified third-party cybersecurity firm for an objective assessment.
Why Penetration Testing Differs from Vulnerability Scanning
Many mortgage companies assume their vulnerability scans satisfy this requirement. While vulnerability scanning is valuable and should be part of your cybersecurity program, it serves a different purpose than penetration testing does:
- Vulnerability scans are automated tools identifying known weaknesses like outdated software or missing patches. Think of them as routine health screenings that flag potential problems.
- Penetration testing involves skilled ethical hackers actively attempting to exploit weaknesses and breach your defenses, just as a real attacker would. This reveals not only what vulnerabilities exist, but how they might be exploited to compromise your systems.
Both matter. Vulnerability scanning provides continuous monitoring, while penetration testing validates whether your security controls can withstand determined attacks. Understanding this distinction helps you implement both effectively.
2. Incident Response Testing: Proving Your Plan Works
Having an incident response plan matters less than knowing it works when you’re facing an actual cyberattack. That’s why Freddie Mac now Having an incident response plan matters less than knowing it works when you’re facing an actual cyberattack. That’s why Freddie Mac now requires annual testing and auditing of your incident response capabilities.
What the Requirements Mandate
Section 1302.2(b)(xv) specifies that your incident response plan must include:
- Senior management approval (at minimum from your Chief Information Officer, Chief Technology Officer, Chief Information Security Officer, or Chief Risk Officer)
- A clearly defined process to immediately shut off access to Freddie Mac systems when an incident occurs
- Procedures to address security breaches involving Freddie Mac confidential information or Protected Information promptly and effectively
- Annual testing of the plan’s effectiveness (unless the plan was activated during the year)
- Annual auditing by either an internal independent function or an external qualified party
- At least annual reviews and updates
Understanding Two Distinct Requirements: Testing and Auditing
Freddie Mac requires both annual testing AND annual auditing of your incident response plan. These are separate activities serving different purposes:
Testing validates that your team can execute the plan effectively under pressure. Can your IT, legal, and executive teams coordinate properly during a real cyberattack? Testing proves the plan works in practice, not just on paper.
Auditing provides independent verification that your plan meets required standards and includes all necessary elements. This formal assessment is conducted by either an internal independent function or an external qualified entity.
Both must be satisfied annually, but they serve complementary purposes: testing proves your plan works; auditing confirms your plan is comprehensive.
How Tabletop Exercises Fulfill the Testing Requirement
While Freddie Mac doesn’t mandate a specific testing method, tabletop exercises have emerged as the most effective approach. These facilitated simulations walk your team through realistic breach scenarios, revealing procedural gaps and communication breakdowns before they occur in an actual crisis.
Cybersecurity experts guide your team through a simulated ransomware attack or data breach, testing whether notification sequences work and how effectively departments coordinate. The facilitated format ensures thorough documentation, demonstrating compliance with Freddie Mac’s testing requirement. When facing a real incident, you won’t have time to figure out your protocols.
Fulfilling the Auditing Requirement
Separately, you’ll need annual auditing by either an internal independent function or an external qualified entity. The auditor reviews your plan’s comprehensiveness, verifies required elements, and documents findings.
Many organizations combine both activities: conducting tabletop exercises to test execution, then having the same qualified entity audit the plan’s completeness. This integrated approach satisfies both requirements efficiently while building stronger incident response capabilities.
Moving Forward: What to Consider Now
If you haven’t achieved full compliance, here’s what might help you move forward efficiently:
- Schedule penetration testing: Engage a qualified cybersecurity firm to conduct independent testing on all systems handling Freddie Mac data or connecting to Freddie Mac systems. Be clear about the distinction between vulnerability scanning and penetration testing when scoping the engagement.
- Review your incident response plan: Verify your plan includes all required elements, has appropriate senior management approval, and clearly defines Freddie Mac-specific processes.
- Conduct tabletop exercise testing: As explained above, Freddie Mac requires annual testing of your incident response plan’s effectiveness. Tabletop exercises provide the most effective method for satisfying this testing requirement. Engage cybersecurity experts to facilitate a realistic breach scenario and document the exercise thoroughly.
- Arrange annual auditing: Separately from testing, Freddie Mac requires annual auditing of your incident response plan by either an internal independent function or external qualified entity. This formal assessment verifies your plan’s comprehensiveness and compliance with required standards.
- Document comprehensively: Freddie Mac may request proof of compliance, including penetration test executive summaries, incident response testing documentation, and audit results. Thorough records simplify future reviews.
The Opportunity in the Requirement
Meeting Freddie Mac’s new standards represents more than checking regulatory boxes. These requirements push organizations toward genuine resilience: the capability to detect threats early, respond effectively, and maintain business continuity when attacks occur.
The compliance deadline has passed, but you likely have time to close these gaps before they surface in your next review or audit. The strategic approach is implementing these requirements in ways that strengthen your overall security posture, not just satisfy the mandate.
By building robust penetration testing and incident response programs now, you’re creating capabilities that protect your organization regardless of regulatory requirements. The compliance mandate becomes the catalyst for building lasting, durable resilience.
How We Can Help
If you’d like to explore how to approach these requirements strategically, our team understands the mortgage industry’s unique cybersecurity challenges. We can provide the independent penetration testing, incident response planning, and compliance support these requirements demand.
We’d welcome a conversation about your specific situation and what approach might work best for your organization. Reach out to our mortgage cybersecurity team at info@richeymay.com.
