Source: www.databreachtoday.com – Author: 1
Finance & Banking
,
Industry Specific
,
Standards, Regulations & Compliance
Banking and Housing Policy Groups Call New Cyber Reporting Measures ‘Impractical’
Chris Riotta (@chrisriotta) •
August 23, 2024
A coalition of banking and housing lobbyists urged Ginnie Mae to reverse its “impractical” cybersecurity incident reporting requirements for custodians of mortgage-backed securities.
See Also: Software Supply Chain Platform for Financial Services
Ginnie Mae, a government-owned corporation responsible for overseeing securities payments nationwide, recently issued a policy requiring custodians of its mortgage-backed securities to provide notification to the federal entity within 48 hours of detecting a “significant” cybersecurity incident.
The American Bankers Association, the Bank Policy Institute and the Housing Policy Council published a letter Thursday calling on Ginnie Mae to revise its cybersecurity requirements and describing the measures as “inconsistent” with existing government cyber regulatory harmonization efforts.
The letter says the new requirement has “an impractical ‘significant cybersecurity incident’ definition with exceptionally low thresholds for reporting. The definition covers events that “potentially jeopardize” information and other standards “that would likely encompass large numbers of incidents.”
The Department of Homeland Security’s Cyber Incident Reporting Council previously issued a report that identifies at least eight incident reporting requirements that apply to financial institutions. DHS Secretary Alejandro Mayorkas said in a statement at the time that the recommendations included in the report “streamline and harmonize reporting requirements” by “clearly defining a reportable cyber incident.”
“Introducing a new requirement with distinct thresholds and timeframes for reporting will further complicate an already complex regulatory landscape,” the letter says, adding that an uncoordinated regulatory approach “leaves cyber professionals with less time for the core security activities that are essential to effectively managing the organization’s cyber risk.”
Ginnie Mae’s All Participant Memorandum describes a significant cybersecurity incident as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system.” The broad definition also includes any incident that “constitutes a violation or imminent threat of violation of security policies” that has the potential “to directly or indirectly impact the issuer’s ability to meet its obligations.”
Ginnie Mae’s new mandates require issuers to include the date and time of the cyber incident in their report, as well as a summary of the incident based on what is known at the time of the notification and a point of contact for follow-up activities. The program guidelines state that representatives from Ginnie Mae “will contact the designated point of contact to obtain additional information and establish the appropriate level of engagement needed depending on the scope and nature of the incident.”
The guidance also says Ginnie Mae is in the process of reviewing its information security requirements “with the intent of further refining its information security, business continuity and reporting requirements.”
Ginnie Mae did not immediately return requests for comment.
Original Post url: https://www.databreachtoday.com/banking-lobby-asks-ginnie-mae-to-modify-cyber-reporting-rule-a-26130
Category & Tags: –
Views: 1