America’s Credit Unions urges Fannie Mae to avoid inconsistent cybersecurity reporting requirements

Credit unions urge Fannie Mae to reconsider a new requirement for lenders to report any cybersecurity incident as soon as possible but no later than 36 hours after discovery, a timeframe that does not currently align with industry standards. The change is included in Fannie Mae’s update to the “Information Security and Business Resiliency Supplement,” and creates inconsistencies in reporting requirements. Credit unions are already required to report substantial cyber incidents to the NCUA as soon as possible but no later than 72 hours after discovery, which aligns with the standard adopted by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).  

“Fannie Mae should consider a more reasonable timeframe for reporting cyber incidents that 
aligns with the CIRCIA and existing cyber incident notification rules—including those issued by 
the NCUA,” wrote America’s Credit Unions Director of Innovation and Technology Andrew Morris, in a letter sent Monday. “A 72-hour notice period would be consistent with other regulatory requirements such as the New York State Department of Financial Services' (NYDFS) cybersecurity event notification requirement, and the European Union's General Data Protection Regulation 
(GDPR), both of which require covered entities to report relevant cyber-related incidents within 
72 hours.”