Information Security and Privacy Updates FAQ

An Incident is defined in the Guide as when a Seller/Servicer knows or believes, or has reasonable information from which to know or believe, or a cyber security professional could reasonably conclude from the circumstances and available information, that there may have been any unauthorized access to or use or acquisition of data or computing resources, or any other security related issue that may compromise the security, confidentiality, availability, integrity or privacy of Freddie Mac confidential information or Protected Information.

If you have any reason to believe that an Incident may have occurred, Seller/Servicers must notify Freddie Mac.

You must notify Freddie Mac as soon as you believe that an Incident may have occurred. Do not wait until you have determined the full scope or impact of the Incident.

While Freddie Mac requires immediate reporting of all Incidents, Seller/Servicers may have up to 36 hours to report less severe Incidents, and even longer for Non-critical Privacy Incidents, using established criteria set forth in the Guide. 

Report immediately any time an Incident causes a Seller/Servicer to shut down, disable or disconnect all or part of a system or technology used in connection with mortgage originations or servicing mortgages on behalf of Freddie Mac.

In all other instances, an Incident must be reported to Freddie Mac as soon as possible but no later than 36 hours after discovering the Incident. Time is of the essence in reporting Incidents, and no delay in notification is permitted due to investigation or to determine the scope of the Incident.

A narrow exception applies for Non-critical Privacy Incidents.

Report Non-critical Privacy Incidents quarterly. These are Incidents that (i) involve fewer than ten (10) Freddie Mac borrowers and (ii) meet the following conditions:

• There is no possibility that the Incident could lead to the compromise of a user account or any Freddie Mac system or technology.
• There is no evidence that a malicious actor caused the Incident.
• There is no state or federal requirement that the Seller/Servicer must notify its regulator, any other government agency or the affected borrowers.
• There is no media coverage of the Incident and none is anticipated.
• The Seller/Servicer has not notified, and has no plans to notify, law enforcement.
• The Seller/Servicer has not received from a regulator notice that the Seller/Servicer is not or may not be compliant with its breach response obligations.
• There is no actual or anticipated material risk to borrowers, investors, Freddie Mac (including, without limitation, Freddie Mac’s infrastructure) or others arising from the Incident. 

Notify Freddie Mac as soon as you discover an Incident may have occurred. Do not wait until you have determined the scope of impact of the Incident. If you’re uncertain what to do, contact your Freddie Mac Representative or the Customer Support Contact Center (800-FREDDIE).

Freddie Mac created two Incident Reporting web intake forms that will be available effective January 1, 2025. 

For immediate Incident reporting (determine this based on severity) Seller/Servicers should use our live Freddie Mac Incident Intake Form accessed on FreddieMac.com, Guide Section1302.5, or here.

For quarterly reporting of Non-critical Privacy Incidents, Seller/Servicers should use the Freddie Mac Quarterly Incident Intake Form on the 5th day of each January, April, July and October. This form is accessed on Freddiemac.com, Guide Section 1302.5 or here.

Freddie Mac will assess whether any access limitation is needed to remediate the potential risks. If access is limited or terminated, Freddie Mac’s Information Security personnel will communicate with you and convey requirements for restoration.

Do not mention Freddie Mac in any communications you have with outside third parties. If you believe that mentioning Freddie Mac is necessary, you must advise Freddie Mac in advance and Freddie Mac must have an opportunity to review and comment upon any external statements.

The enhancements to Section 1302.3 add detail about the contents of the BCP plan to assist Seller/Servicers in aligning with industry best practices related to information security, which includes resiliency planning and document retention. Seller/Servicer BCPs may already meet the Guide requirements.

During a Counterparty Operational Risk Evaluation (CORE) or other review, Freddie Mac may request to see a Seller/Servicer’s BCP. Otherwise, there is no requirement that BCP plans be submitted to Freddie Mac

If Seller/Servicer’s BCP includes provisions that would otherwise be included in a DRP, no separate DRP is required.

New Guide Section 1302.4 contains the requirements related to DRPs. Seller/Servicers should do an analysis to determine if there are any gaps between their plans and the requirements.

During a CORE or other review, Freddie Mac may request to see a Seller/Servicer’s DRP. Otherwise, there is no requirement that plans be submitted to Freddie Mac.

Artificial intelligence refers to the development of computer programs and systems which can perform tasks that typically require human intelligence. Tasks can include reasoning, learning (e.g., machine learning or ML), problem-solving, and language understanding (e.g., for use in translation or dictation software).

A Seller/Servicer’s use of AI/ML must be reported to Freddie Mac if (i) it relates to the origination of mortgages to be sold to, guaranteed by or serviced on behalf of Freddie Mac; and (ii) Freddie Mac requests such information.

If requested, Seller/Servicer must share the types of AI/ML used, the purpose and manner for such use, safeguards to mitigate risks related to the use of AI/ML, and such other information as Freddie Mac may require.

Seller/Servicer use of AI/ML must be consistent with Applicable Law and the Seller/Servicer’s Purchase Documents. 

Further, Seller/Servicers using AI/ML must develop, implement and maintain policies and procedures for its use, which must at a minimum: (i) be approved by senior management, including, at least, the Chief Information Officer, Chief Technology Officer, Chief Information Security Office or Chief Risk Officer (or the equivalents thereof); (ii) are communicated to appropriate personnel who have job responsibility in areas that use AI/ML; and (iii) have an owner(s) that maintains and reviews the policies and procedures at least annually to ensure the policies and procedures comply with Applicable Law and consistently reflect industry best practices.

There is no job aid at this time. If you have additional questions, reach out to your Freddie Mac Representative or the Customer Support Contact Center (800-FREDDIE).

The Freddie Mac CORE team will validate compliance as part of their regular exams by reviewing applicable policies, procedures and controls.

No. A Seller/Servicer may elect to conduct such security and/or privacy assessments internally. Freddie Mac may request a copy of the assessment for review at any time as relates to Freddie Mac mortgages, Freddie Mac confidential information or Protected Information.

Yes. Seller/Servicers using service providers (which are a related third party), that store, process, access or transmit Freddie Mac confidential or Protected Information related to Freddie Mac mortgages, must require the service provider to comply with substantially similar information security and privacy requirements as set forth in Chapter 1302 of the Guide.

Seller/Servicers are required to have a third-party risk management program. The scope and depth of controls validation by the Seller/Servicer is expected to be commensurate with the potential risk and exposure of the service provider.

Freddie Mac does not prescribe which standards should be used. Two reputable sources for pertinent information are the National Institute for Standards and Technology (NIST) and the Federal Financial Institutions Examination Council (FFIEC). There are other standards. Seller/Servicers should determine the applicable standard based upon their business model and needs.