T2
FHFA
Medium Confidence
Advisory
Enterprise Cybersecurity Incident Reporting
Enhanced cybersecurity oversight and incident transparency for systemically important housing finance institutions
MODERATE
Impact Level
Top: operational (4)
Classification
- Regulatory Program
- Enterprise Cybersecurity
- Doc Type
- Advisory
- Effective Date
- 2026-09-14 (est.)
- Days to Action
- 60
- Comment Deadline
- —
- Published
- —
Urgency Basis
Advisory bulletin with cybersecurity incident reporting requirements - immediate implementation expected within 30-90 days
Operational Context
Flags
Examination Focus
Board Reporting Required
Systems Change Required
Legal Review Required
Affected Functions
Information Security
Risk Management
Compliance
Legal
Operations
Vendor Management
Institution Applicability
Government Sponsored Enterprises
Fannie Mae
Freddie Mac
Federal Home Loan Banks
Impact by Category
Compliance
3
Operational
4
Data Governance
3
Model Risk
1
Reporting & Disclosure
4
Capital & Liquidity
1
Consumer Protection
2
Third-Party Risk
3
Key Requirements
- Implement cybersecurity incident detection and classification procedures
- Establish incident reporting timelines and escalation protocols to FHFA
- Develop structured incident reporting formats and documentation standards
- Create incident response coordination with regulatory reporting obligations
- Maintain cybersecurity incident logs and audit trails for regulatory review
Scoring Rationale
Moderate impact driven by operational and reporting requirements. Cybersecurity incident reporting creates significant operational workflow changes and new regulatory reporting obligations, requiring cross-functional coordination and system enhancements.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.