Re: Cybersecurity Incident Notification Requirements
Dear Mr. Valverde,
The American Bankers Association, Bank Policy Institute, and the Housing Policy Council (collectively, the Associations) write to provide feedback on Ginnie Mae's All Participant Memorandums (APM) 24-02 and 24-10. The APMs, effective immediately, contain wide-ranging thresholds for cyber incident reporting that will present considerable compliance challenges for issuers and document custodians. Therefore, the Associations request that Ginnie Mae revise the current APMs to better align with existing cyber regulatory reporting requirements. Harmonizing the APMs in this way will still provide Ginnie Mae with timely notification of cyber incidents to mitigate risks, and will simplify the reporting process for an impacted entity. Today, companies dedicate significant resources and time complying with numerous reporting requirements with divergent timeframes.
As currently drafted, the APMs have an impractical "significant cybersecurity incident" definition with exceptionally low thresholds for reporting. The definition covers events that “potentially jeopardize” information or information systems or pose an "imminent threat of violation" to security policies, both standards that would likely encompass large numbers of incidents experienced by issuers and document custodians that are immaterial in their impact.
Download the joint comment letter to read the full text.