Perspectives

Cybersecurity in Focus

Anthony Johnson

Cybersecurity is an increasingly important topic for companies, particularly those in the financial services field. I’ll be discussing cybersecurity during a panel at the Mortgage Bankers Association (MBA) Annual Conference in San Diego on October 20, and I wanted to share some thoughts about how Fannie Mae has focused on this topic in recent years. 

First of all, it’s important to keep in mind that the cybersecurity landscape is constantly changing, with new threats and vulnerabilities emerging all the time. The most important concept for any organization is vigilance. You must pay attention at all times.

My team and I are responsible for building strong cyber defenses at Fannie Mae, and we focus on this every day. Our goal is to protect the important technology systems that Fannie Mae provides to our customers, such as Desktop Underwriter® and Collateral Underwriter, and to safeguard the data we receive from lenders and servicers about loans made to borrowers all across the country. We employ a number of protection and monitoring tools, and we have a highly technical team of people prepared to respond to cyberattacks or data breaches.

It’s important to recognize that organizations must marshal the resources of the entire enterprise in order to prevent cyberattacks, and manage any incidents. Both before and during a cyberattack, colleagues from across the organization must come together effectively. 

With this in mind, at Fannie Mae we have built a cross-functional team that thinks about cybersecurity risk from all angles. We are building out a cyber risk framework as a distinct component of our enterprise operational risk framework. We have developed metrics to monitor what kind of threats we’re seeing, and improved our plans to respond to cyberattacks or data breaches. We have also expanded the tools that we use to protect the enterprise to ensure we are utilizing best of breed solutions and to drive faster response to mitigate threats.&

With the speed and complexity of the growing cyber threat landscape, it is crucial to bring in outside expertise to supplement the internal team. At Fannie Mae, we’ve secured the services of many external partners to help review, enhance, and augment our current practices. These include top industry experts and solutions across many domains, and their help has been critical in strengthening the defenses of the company.

For example, the firm FireEye is a recognized industry leader in incident response and they have become a key partner in helping us to strengthen our capabilities. They are just one of many resources we’ve engaged to build our defenses.

One topic I will be discussing at the MBA specifically is the work we’ve done with BitSight, a company that helps to measure cybersecurity maturity across many industries. To date, this measurement has shown us to be in a strong position. We will continue to mine the insights we receive from BitSight and many others to further inform how we can better protect the company. We’ve taken the insights from tools like these, and combined them with fundamental aspects of cyber security to ensure we apply and leverage a holistic approach to protecting the enterprise. By continually challenging ourselves and our approaches we’ve been working to drive significant risk reduction.

I can’t emphasize enough how important it is to leverage third-party expertise in building an effective cyber defense posture. At Fannie Mae, we’ve built a strong team of industry experts who wake up every morning focused on how to protect the company, our technology, and the data we receive. But we can’t do it alone. The combination of internal and external threat intelligence has helped us to prepare for threats as they emerge.

Financial services companies are entrusted with the personal information of their customers, whether that is somebody’s bank account, their investment portfolio, or their mortgage. At Fannie Mae, we provide technology solutions that drive a significant portion of the mortgage market. It is our responsibility to protect that data and those systems as best we can, and we take that responsibility seriously. 

We will continue to focus on creating strong defenses to prevent cyberattacks or data breaches. I look forward to discussing this important topic with lenders, servicers, and other industry leaders at the MBA conference in October.

Anthony Johnson
Chief Information Security Officer

October 13, 2015