Announcement SVC-2025-01 – Servicing Guide Update
Enhanced cybersecurity requirements for GSE servicers including mandatory incident reporting and comprehensive security program implementation
Advisory Assessment
Impact. This Fannie Mae guidance establishes comprehensive cybersecurity obligations for GSE servicers that fundamentally restructure your information security posture. The requirements mandate implementation of formal Information Security and Business Continuity Management programs, create 36-hour incident reporting timelines, and extend cybersecurity oversight to third-party service providers across your servicing operations.
Risk. Given the August 2025 effective date has passed, you face immediate examination exposure for non-compliance with established GSE cybersecurity standards. Technology and operations teams are most vulnerable to gaps in the mandatory security program implementation, particularly around incident response procedures and third-party vendor cybersecurity controls that examiners will scrutinize closely.
Recommended Action. Conduct an immediate gap assessment against the Fannie Mae Information Security and Business Resiliency Supplement to identify current compliance deficiencies. Have your compliance team coordinate with technology leadership to document existing security controls and map outstanding implementation requirements across the three mandated program areas.
Watch. Monitor for GSE examination guidance that may clarify enforcement priorities for institutions still implementing these cybersecurity requirements, and track any additional Fannie Mae announcements regarding compliance timelines for past-due obligations.
Classification
- Regulatory Program
- GSE Servicing Requirements
- Doc Type
- Guidance
- Effective Date
- 2025-08-12
- Days to Action
- -338
- Comment Deadline
- —
- Published
- 2025-02-12
Urgency Basis
Effective date of August 12, 2025 is beyond 180 days from today's date of May 26, 2026, but this is already past due requiring immediate assessment
Operational Context
Impact by Category
Key Requirements
Scoring Rationale
This GSE servicing guidance introduces significant new cybersecurity obligations requiring cross-functional implementation. The compliance score reflects new mandatory requirements across three security domains. Operational impact is high due to comprehensive program implementation needs. Data governance and third-party risk scores reflect security control and vendor oversight requirements. The 36-hour incident reporting creates moderate reporting obligations. While technically past the effective date, institutions must assess current compliance gaps.