Cybersecurity - Frequently Asked Questions

While specific language varies, both GSEs expect: 

• Regular cybersecurity risk assessments 

• Annual (or risk-based) penetration testing 

• Independent third-party validation 

• Timely remediation of identified vulnerabilities 

• Documentation and reporting for audit purposes 

Pen testing supports compliance with broader frameworks such as GLBA, NIST, and FFIEC guidelines, which underpin GSE requirements. 

Fannie Mae and Freddie Mac require mortgage lenders, servicers, and vendors to maintain robust cybersecurity programs, including periodic independent security testing such as penetration testing. These requirements are part of broader expectations to protect borrower data, prevent fraud, and ensure operational resilience.

Penetration testing (or "pentesting") is a controlled, authorized simulation of cyberattacks against your systems, applications, and networks to identify vulnerabilities that could be exploited by malicious actors. Unlike automated scans, penetration testing involves skilled security professionals attempting real-world attack techniques to uncover weaknesses before attackers do. 

Vulnerability Scanning: automated, identifies known issues, broad but shallow, no proof of exploitability 

Penetration Testing: manual + automated, exploits weaknesses to demonstrate risk, targeted and deeper, demonstrates real-world impact

Both are important, but penetration testing provides validation of actual risk exposure, which are expected for the Fannie Mae and Freddie Mac security requirements.

The frequency can vary based on risk profile and audit findings. 

Typically: 

• At least annually 

• After significant system changes 

• Following security incidents 

• When introducing new applications or infrastructure

Yes. If you are a vendor supporting mortgage operations or handling borrower data, you are often required to demonstrate equivalent cybersecurity controls, including penetration testing, to meet third-party risk management expectations.

Failure to perform adequate security testing can lead to: 

• Undetected vulnerabilities 

• Increased likelihood of data breaches 

• Regulatory findings or audit failures 

• Loss of borrower trust 

• Financial and operational disruption

In severe cases, organizations may lose the ability to sell loans to or service loans for Fannie Mae or Freddie Mac. 

Penalties may include: 

• Remediation mandates and increased oversight 

• Suspension or termination of GSE approvals 

• Financial penalties or repurchase demands 

• Reputational damage 

• Increased audit scrutiny

The penetration testing scope should reflect a risk-based view of all systems that store, process, or expose borrower and mortgage data, with particular focus on external access points, identity systems, and integrated platforms. Fannie Mae and Freddie Mac expectations emphasize a risk-based, enterprise-wide scope, focusing on systems that are internet-facing, sensitive, or critical to business operations. 

Common scope areas include: 

• External-facing applications 
  (e.g., loan origination portals, borrower applications, servicing platforms) 
  These are a primary focus because they are directly exposed to attackers and represent the highest risk entry points. 

• Internal networks 
  Evaluation of internal systems helps identify how an attacker could move laterally after gaining initial access, including access to sensitive loan and borrower data. 

• APIs and integrations 
  Modern mortgage ecosystems rely heavily on third-party integrations. Testing ensures that data exchanges and trust relationships are secure and not easily exploited. 

• Cloud environments (AWS, Azure, etc.) 
  Includes review of cloud configurations, storage, identity controls, and exposed services, as cloud misconfigurations are a leading source of breaches. 

• Authentication and identity systems 
  (e.g., Active Directory, SSO, MFA implementations) 
  These are critical because attackers frequently target identity systems to gain broad access to enterprise resources. 

Fannie Mae and Freddie Mac generally expect organizations to ensure that penetration testing: 

• Covers all systems involved in loan origination, processing, servicing, and data storage 

• Prioritizes public-facing and high-risk assets 

• Includes environments that handle non-public personal information (NPI) 

• Evaluates both external and internal attack scenarios 

• Accounts for third-party and cloud-hosted systems where applicable

Penetration testing is carefully planned to minimize disruption. Activities are: 

• Coordinated in advance 

• Conducted in defined testing windows 

• Designed to avoid system downtime

Any high-risk actions are discussed and approved beforehand. 

Typical timelines: 

• Small scope: 1-3 days of testing and 1-2 weeks for analysis and reporting 

• Medium scope: 2-5 days testing, 1-2 weeks analysis and reporting 

• Large/complex environments: 5-10 days testing, 2-4 weeks analysis and reporting

You can expect: 

• Executive summary (business risk overview) 

• Detailed technical findings 

• Risk ratings (e.g., critical/high/medium/low) 

• Proof-of-concept for vulnerabilities 

• Remediation recommendations 

• Presentation of findings and recommendations to technical stakeholders and business leaders

You will: 

1. Review findings with your security and IT teams 

2. Prioritize remediation based on severity 

3. Complete remediation activity to address vulnerabilities

While not all findings carry equal risk, regulators expect: 

• Critical and high-risk issues to be remediated promptly 

• A documented remediation plan for lower-risk issues

Yes, but with clear separation of responsibilities to maintain independence and objectivity. 

We offer: 

• Guidance and advisory support 

• Secure architecture recommendations 

• Validation of fixes (retesting) 

Industry standards and regulatory expectations emphasize independence between testing and remediation activities. To avoid potential conflicts of interest, we do not perform hands-on remediation of the exact issues we identify, as this could compromise the objectivity of the assessment. Maintaining separation ensures that findings remain unbiased, defensible, and audit-ready. This approach aligns with best practices expected by regulators, auditors, and frameworks such as NIST and FFIEC

Pentesting helps: 

• Reduce breach risk 

• Protect borrower data 

• Strengthen investor confidence 

• Improve incident response readiness 

• Demonstrate strong governance to regulators and partners

Organizations need to provide: 

• Defined scope 

• Network/application details 

• Points of contact 

• Rules of engagement (authorization)

You will maintain: 

• Penetration test reports 

• Remediation tracking evidence 

• Policies and procedures 

• Risk assessment documentation 

These are often requested during audits or reviews.