24-22: Cybersecurity Incidents Reminder


Freddie Mac issued an industry letter on January 20, 2024 reminding Sellers and Servicers of their obligations to maintain an effective information security program, and their reporting obligations of cybersecurity incidents.

Freddie Mac’s letter cited that a record number of cybersecurity incidents against Seller/Servicers occurred in 2023. These included incidents of social engineering (e.g., “phishing,” “spear phishing”) and installation of malware and ransomware which resulted in business disruptions for impacted lenders and for borrowers. Given recent events and the increasingly sophisticated nature of these cybersecurity incidents, correspondents are encouraged to accelerate their information security program reviews to incorporate industry best practices and lessons learned from recent events. These reviews must occur at least once on an annual basis.

Pennymac, would like to remind Correspondents of their obligations to report all cybersecurity incidents to Pennymac within 48 hours after discovery. Please report any cybersecurity incidents to Pennymac at privacyalert@pnmac.com and PCGMonitoring@pennymac.com.

Please contact your Sales Representative with any questions.