Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25)

fhlmc-1302-5

Freddie Mac Guide §1302.5 (Incident notification and related obligations). Gap-fill (verbatim, ID-diff).

Get this register: .xlsx .csv More bundles →

Verbatim regulatory text (5)

Verbatim provisions from Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25) — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.

Freddie Mac Guide 1302.5

(01/01/25) This section contains: ■ Security-related requirements ■ Non-critical Privacy Incident requirements ■ Requirements related to limitation, restriction or termination of System access (a) Security-related requirements If a Seller/Servicer knows or believes, or has reasonable information from which to know or believe, or a cybersecurity professional could reasonably conclude from the circumstances and available information, that there may have been any unauthorized access to or use or acquisition of data or computing resources, or any other security related issue that may compromise the security, confidentiality, availability, integrity or privacy of Freddie Mac confidential information or Protected Information (“Incident”); the Seller/Servicer must comply with the requirements below: 1. Notification to Freddie Mac Immediately notify Freddie Mac of an Incident via https://privacyportal.onetrust.com/incident-portal/webforms/94b5e41a-aba0-4e51- ba48-efa19ce560a1/1b25c37a-a280-44f2-b61e-a693a33c7267 (or by such other means as specified by Freddie Mac) in the event that such Incident causes the Seller/Servicer to

Source: Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25) · source URL · snapshot 5869ee9e606cd4ae

Freddie Mac Guide 1302.5

302-67 shut down, disable, or otherwise stop using any or part of any system or other technology (whether or not such system or technology is developed by the Seller/Servicer or by a third-party and used by the Seller/Servicer) that the Seller/Servicer ordinarily uses in connection with its mortgage origination processes or Servicing Mortgages on behalf of Freddie Mac. In all other instances, as soon as possible, but no later than 36 hours after discovering the Incident, notify Freddie Mac of the Incident via https://privacyportal.onetrust.com/incident-portal/webforms/94b5e41a-aba0-4e51- ba48-efa19ce560a1/1b25c37a-a280-44f2-b61e-a693a33c7267 (or by such other means as specified by Freddie Mac) or by such other means as Freddie Mac may request. The notification must include the name, phone number and e-mail address of the contact leading the Incident investigation, any law enforcement agencies involved and all facts known about the Incident at the time of notification. 2. Obligation to investigate and remediate The Seller/Servicer must promptly investigate, mitigate and remediate the Incident at the Seller/Servicer’s expense, including identifying all Freddie Mac confidential information or Protected Information affected by the Incident and preventing the continuation and recurrence of the Incident. 3. Information to be provided to Freddie Mac After notifying Freddie Mac and providing initial information about the Incident, the Seller/Servicer must continue to update Freddie Mac as the investigation progresses, and as Freddie Mac may reasonably request, with interim status updates, including new details learned and progress made since the last update, until Freddie Mac is satisfied that there has been compliance with Applicable Laws and the event giving rise to the Incident is fully resolved. remediated and closed. All information should be sent to the location designated by Freddie Mac. The information to be provided by the Seller/Servicer includes the following: ■ Technical information ❑ Related internal and external investigations ❑ Risk factors ❑ Causation factors ❑ Technical indicators of compromise (e-mail addresses, hash values, IP addresses, malware code, vector of compromise, etc.)

Source: Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25) · source URL · snapshot 5869ee9e606cd4ae

Freddie Mac Guide 1302.5

302-68 ❑ Tactics, techniques, and procedures associated with the Incident ❑ Details surrounding the attack methodology ❑ Timing of the Incident ❑ Technical and forensic reports, if available ❑ Other information that Freddie Mac may reasonably request to assist Freddie Mac in evaluating the potential or actual effect of the Incident on Freddie Mac’s infrastructure and impacted Borrowers or employees ❑ Actions that are being taken to remediate the Incident and its cause, and to protect individuals, business assets, and Freddie Mac confidential information and Protected Information ❑ Remediation actions or workarounds or corrections that resolved the incident and restored service to its best quality ❑ Eradication and recovery steps taken ❑ Postmortem and similar after-action reports generated ❑ Other details and information concerning the Incident ❑ Final incident closure report ■ Freddie Mac and Borrower information ❑ Whether, and if so the extent to which, Freddie Mac confidential information or Protected Information was accessed, taken, or exposed ❑ The nature and details of the information accessed, taken, or exposed ❑ All facts relevant to actual or potential misuse of the information, including the likelihood of misuse and, if applicable, how the information was misused ❑ Whether there is any cyber or other insurance coverage for expenses related to the Incident ❑ Potential damage estimates associated with the Incident ■ Compliance information ❑ Actions that are being taken to comply with Applicable Laws

Source: Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25) · source URL · snapshot 5869ee9e606cd4ae

Freddie Mac Guide 1302.5

302-69 ❑ A Certificate of Compliance (in form and substance requested by Freddie Mac evidencing, among other things, that the Seller/Servicer has, with respect to the incident, complied with applicable Federal, State, and local data breach notification laws and regulations and all Purchase Documents, including without limitation, the Guide) ❑ Copies of any communications to Borrowers, State and federal agencies and offices, regulators, credit reporting agencies or others 4. Compliance with law The Seller/Servicer must comply in a timely manner with Applicable Laws (as defined in Section 1301.2). Where an Incident creates an obligation to notify Borrowers, the Seller/Servicer will first give Freddie Mac the opportunity to review and comment on any notification that in any way refers to or identifies Freddie Mac directly or indirectly. The Seller/Servicer must comply with Applicable Laws that require notification to federal or state authorities. Promptly following a request by Freddie Mac, the Seller/Servicer will provide Freddie Mac and its designees all information and assistance needed to enable Freddie Mac to evaluate the need for, and to timely make, any notification it deems necessary or advisable concerning the Incident. (b) Non-Critical Privacy Incident requirements Notwithstanding the notification requirement set forth in Section 1302.5(a) above, if a privacy-related Incident affects, or has the potential to affect fewer than 10 Freddie Mac Borrowers (“Non-critical Privacy Incident”), a Seller/Servicer is required to respond to the Incident in accordance with all Applicable Laws, but a Seller/Servicer is not required to report such Non-critical Privacy Incident to Freddie Mac within the 36-hour reporting window referenced above. Instead, Seller/Servicers must report Non-critical Privacy Incidents to Freddie Mac on a quarterly basis via https://privacyportal.onetrust.com/incident- portal/webforms/94b5e41a-aba0-4e51-ba48-efa19ce560a1/7aa89b26-8f28-4ed8-ae19- 944470d088c9. Seller/Servicers must submit such reports to Freddie Mac by the 5th day of each January, April, July and October, in each case covering Non-critical Privacy Incidents in the three immediately preceding calendar months. An Incident that involves any of the factors listed below is not a Non-critical Privacy Incident, and a Seller/Servicer must handle the Incident in accordance with Section 1302.5(a) above: 1. The Incident could lead to the compromise of a user account or system providing access to any Freddie Mac System (as defined in Section 2401.1(b)) 2. A malicious actor caused the Incident

Source: Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25) · source URL · snapshot 5869ee9e606cd4ae

Freddie Mac Guide 1302.5

302-70 3. The impacted States/territories or federal statute require the Seller/Servicers to notify State or federal regulators or the affected Borrowers 4. There is active or anticipated media coverage of the Incident 5. Law enforcement has been or will be contacted regarding the Incident 6. The Seller/Servicer receives notice from a regulator that it is not or may not be compliant with its breach response obligations 7. The Seller/Servicer is aware of or reasonably should anticipate material risk to Borrowers, investors, Freddie Mac (including without limitation, Freddie Mac’s infrastructure) or others, based on specific facts and circumstances (c) Requirements related to limitation, restriction or termination of System access Whether in connection with the actual or suspected presence of Malicious Code (as defined in Section 1302.2), an Incident, or otherwise, Freddie Mac reserves the right, in its sole and absolute discretion, at any time with or without notice, to limit, restrict and/or terminate a Seller/Servicer’s access to any System or the UCDP®, temporarily or permanently. If, and when, Freddie Mac determines that restoring any level of System or the UCDP access to a Seller/Servicer is appropriate, as a condition to such access restoration, Seller/Servicer shall provide to Freddie Mac upon request (i) such assurances and information as Freddie Mac may deem necessary, in its sole and absolute discretion; and (ii) an attestation, executed by a duly authorized corporate officer, of the adequacy of any applicable containment, eradication or remediation of any vulnerability related to such Malicious Code, Incident (as defined above), and the eradication of any threat actor from the Seller/Servicer’s environment or any system or technology used by the Seller/Servicer (whether or not such system or technology is developed by the Seller/Servicer or by a third-party and used by the Seller/Servicer). Freddie Mac shall have no liability to any Seller/Servicer or third party arising out of, related to, or in connection with Freddie Mac’s limitation, restriction, or termination of a Seller/Servicer’s access to any System.

Source: Freddie Mac Single-Family Seller/Servicer Guide §1302.5 — Incident notification and related obligations (01/01/25) · source URL · snapshot 5869ee9e606cd4ae