In an era when data breaches and cyberattacks are headline news, Fannie Mae has elevated its expectations for cybersecurity across its partner ecosystem. On August 12, 2025, the Fannie Mae Information Security and Business Resiliency Supplement (the “Supplement”) takes effect for single-family sellers and servicers (among others), demanding significantly stricter controls, incident reporting timelines, and governance procedures.
This is not merely a technical update — it is a compliance obligation with real financial, reputational, and eligibility risk for lenders, servicers, vendors, and technology partners.
What’s Changing and Who’s Impacted
Fannie Mae’s updated Supplement applies to multiple categories of business counterparties:
a) Single-family sellers and servicers
b) Multifamily lenders
c) Technology service providers (with a later deadline)
d) Document custodians
The deadlines vary by category. For single-family sellers and servicers (and multifamily lenders), full implementation is required by August 12, 2025. Technology service providers and document custodians have subsequent deadlines.
Under the new rules, business partners must meet enhanced requirements across information security controls, incident notification, business continuity and resiliency planning, among other domains.
Why This Matters — And What’s at Stake
Eligibility Risk
Non-compliance isn’t theoretical. Firms that serve as sellers or servicers on Fannie Mae-approved channels risk jeopardizing their ability to originate or service loans under Fannie Mae’s programs. Access to systems, contracts, or product pipelines could be curtailed if controls aren’t aligned.
Incident Reporting & Timeliness
Perhaps the single most dramatic change is the requirement to report cybersecurity incidents within 36 hours of identification. That includes unauthorized access, data loss, ransomware, denial-of-service attacks, or business-email compromise that impacts confidential information.
Missing that reporting window—or lacking timely communication with Fannie Mae—could lead to operational restrictions or even suspension of system access, depending on the severity and the response.
Vendor / Supply-Chain Risk Exposure
The Supplement makes it clear that firms must uphold similar information-security and business continuity obligations not only internally, but across their third-party service providers (supply-chain / vendor risk).
That means oversight of subcontracted vendors, cloud providers, custodial services, or technology partners must align with Fannie Mae’s standards — or risk non-compliance via “weak links.”
Operational Resilience
The business-resiliency component emphasizes continuity planning, incident-response procedures, and resiliency testing. It’s not sufficient to have basic policies on paper — firms must prove that they can recover, continue critical servicing/origination activities, and protect borrower data in the event of a disruption or cyber event.
All told, the new Supplement shifts cybersecurity and resilience from an IT concern into a core compliance, governance, and risk-management concern for mortgage organizations and their partners.
What You Should Do — Next Steps for Mortgage Providers
To avoid fines, system access limitations, or reputational damage, stakeholders must act now. Here are recommended steps:
a) Gap Assessment & Audit
Immediately perform a comprehensive gap assessment of your existing Information Security Program, Incident Management procedures, Business Continuity Plan (BCP), and vendor oversight. Map your controls against the Supplement’s requirements to identify deficiencies.
b) Executive Oversight & Attestation
The Supplement implies senior-level accountability. Ensure that your governance structure includes a designated executive owner for InfoSec and business resiliency. Document attestations or board-level committee approvals as needed.
c) Incident-Response Procedures & Training
Update or develop your incident-response playbooks to reflect the new 36-hour reporting requirement. Train your staff and vendors on timely identification, escalation, and notification protocols.
d) Vendor & Contract Review
Review your agreements with third-party vendors, custodians, and technology partners. Confirm they meet the Supplement’s security-control and resiliency expectations. Amend contracts to include required obligations, audit rights, or compliance attestations.
e) Test & Document Resiliency Plans
Conduct tabletop exercises, disaster-recovery testing or fail-over drills. Document your results, remediation steps, and continuous improvement plan. Maintain records ready for audit or governance review.
f) Monitor & Report Progress
Establish internal dashboards or compliance-tracking metrics to monitor your progress toward full implementation ahead of the August 2025 deadline (or applicable deadline for your category). Escalate to senior leadership regularly.
“Cyber Risk Becomes Mortgage Risk: Fannie Mae’s New InfoSec Mandate”
In an era when data breaches and cyberattacks are headline news, Fannie Mae has elevated its expectations for cybersecurity across its partner ecosystem. On August 12, 2025, the Fannie Mae Information Security and Business Resiliency Supplement (the “Supplement”) takes effect for single-family sellers and servicers (among others), demanding significantly stricter controls, incident reporting timelines, and governance procedures.
This is not merely a technical update — it is a compliance obligation with real financial, reputational, and eligibility risk for lenders, servicers, vendors, and technology partners.
What’s Changing and Who’s Impacted
Fannie Mae’s updated Supplement applies to multiple categories of business counterparties:
a) Single-family sellers and servicers
b) Multifamily lenders
c) Technology service providers (with a later deadline)
d) Document custodians
The deadlines vary by category. For single-family sellers and servicers (and multifamily lenders), full implementation is required by August 12, 2025. Technology service providers and document custodians have subsequent deadlines.
Under the new rules, business partners must meet enhanced requirements across information security controls, incident notification, business continuity and resiliency planning, among other domains.
Why This Matters — And What’s at Stake
Eligibility Risk
Non-compliance isn’t theoretical. Firms that serve as sellers or servicers on Fannie Mae-approved channels risk jeopardizing their ability to originate or service loans under Fannie Mae’s programs. Access to systems, contracts, or product pipelines could be curtailed if controls aren’t aligned.
Incident Reporting & Timeliness
Perhaps the single most dramatic change is the requirement to report cybersecurity incidents within 36 hours of identification. That includes unauthorized access, data loss, ransomware, denial-of-service attacks, or business-email compromise that impacts confidential information.
Missing that reporting window—or lacking timely communication with Fannie Mae—could lead to operational restrictions or even suspension of system access, depending on the severity and the response.
Vendor / Supply-Chain Risk Exposure
The Supplement makes it clear that firms must uphold similar information-security and business continuity obligations not only internally, but across their third-party service providers (supply-chain / vendor risk).
That means oversight of subcontracted vendors, cloud providers, custodial services, or technology partners must align with Fannie Mae’s standards — or risk non-compliance via “weak links.”
Operational Resilience
The business-resiliency component emphasizes continuity planning, incident-response procedures, and resiliency testing. It’s not sufficient to have basic policies on paper — firms must prove that they can recover, continue critical servicing/origination activities, and protect borrower data in the event of a disruption or cyber event.
All told, the new Supplement shifts cybersecurity and resilience from an IT concern into a core compliance, governance, and risk-management concern for mortgage organizations and their partners.
What You Should Do — Next Steps for Mortgage Providers
To avoid fines, system access limitations, or reputational damage, stakeholders must act now. Here are recommended steps:
a) Gap Assessment & Audit
Immediately perform a comprehensive gap assessment of your existing Information Security Program, Incident Management procedures, Business Continuity Plan (BCP), and vendor oversight. Map your controls against the Supplement’s requirements to identify deficiencies.
b) Executive Oversight & Attestation
The Supplement implies senior-level accountability. Ensure that your governance structure includes a designated executive owner for InfoSec and business resiliency. Document attestations or board-level committee approvals as needed.
c) Incident-Response Procedures & Training
Update or develop your incident-response playbooks to reflect the new 36-hour reporting requirement. Train your staff and vendors on timely identification, escalation, and notification protocols.
d) Vendor & Contract Review
Review your agreements with third-party vendors, custodians, and technology partners. Confirm they meet the Supplement’s security-control and resiliency expectations. Amend contracts to include required obligations, audit rights, or compliance attestations.
f) Test & Document Resiliency Plans
Conduct tabletop exercises, disaster-recovery testing or fail-over drills. Document your results, remediation steps, and continuous improvement plan. Maintain records ready for audit or governance review.
g) Monitor & Report Progress
Establish internal dashboards or compliance-tracking metrics to monitor your progress toward full implementation ahead of the August 2025 deadline (or applicable deadline for your category). Escalate to senior leadership regularly.
Bottom Line:
Fannie Mae’s new Information Security & Business Resiliency Supplement is more than a security upgrade — it’s a compliance mandate. Cyber risk now sits squarely at the center of mortgage-lending partner eligibility. Firms that don’t treat information security and resiliency as strategic risk are at risk of losing access to Fannie Mae pipelines, facing operational interruptions, or worse, suffering avoidable reputational damage. Treat this as a priority project today — not tomorrow.
