The Three Lines of Defense for Cybersecurity Compliance Best practices for risk management and audit assurance By Anna DeSimone
Anna DeSimone is president of Housing Research LLC and provides consulting services and policy devel- opment in the areas of fair lending, loan operations, quality control, servicing and information security. She has written over 40 industry handbooks published by AllRegs, the MBA of America and the Federal Reserve Bank of Boston. www.housingresearchpress.com States with explicit requirements as a condition of licensing or ongoing compliance include California, Connecticut, Illinois, Maryland, Massachusetts, Nevada, New York, Texas and Vermont. States requiring reference to GLBA and the FTC Safeguard Rule in the Nationwide Multistate Licensing System (NMLS) include Florida, Georgia, North Carolina, Ohio and Washington. The era of comprehensive state privacy laws began in 2020 with the California Privacy Rights Act, followed by the rapid spread of state legislation. Every U.S. state now requires mortgage lenders to maintain an information security program. While GLBA applies nationwide, most states have duplicated or expanded upon federal laws for licensees regulated by their Department of Financial Institutions, Department of Banking or similar agency. T he foundation of modern financial privacy in America began in the year 1999 with the enactment of the Gramm-Leach-Bliley Act (GLBA). Over the next 10 years, the financial services industry saw the introduction of more regulations aimed at protecting confidential consumer information. The GLBA Safeguards Rule (16 CFR Part 314), enforced by the Federal Trade Commission (FTC), requires financial institutions to protect the security, confidentiality and integrity of customer information. Companies subject to FTC jurisdiction include mortgage brokers, mortgage lenders, collection agencies, credit counselors, financial advisers, tax prepa- ration firms, payday lenders and other entities engaged in activities that are financial in nature or incidental to financial activities. The FTC updated the Safeguards Rule in 2024, requiring all covered entities to establish a writ- ten information security program and a documented security risk program. The amended rule also requires entities to report certain data breaches and security incidents to the FTC.
The Three Lines of Defense Risk Management Model
Failure to maintain a plan can result in enforcement actions or license suspension. Companies have been fined for lacking written information security plans, encryption policies or incident response procedures. Penalties vary by state but typically include civil fines between $25,000 and $250,000 per violation. Enforcement actions can include cease-and- desist consent orders requiring immediate corrective actions, required adoption and submission of a compliant information security plan or man- dated third-party audits for 12 to 24 months. The Conference of State Bank Supervisors (CSBS) and state regulators work together to create consistent regulatory standards for nonbank firms through the adoption of model laws. CSBS’s model laws provide a clear nationwide framework for state legislatures to enact and state regulatory agencies to implement. The Nonbank Model Data Security Law is largely based on the FTC Safeguards Rule. It requires companies to develop, implement and main- tain a comprehensive, written information security program that contains administrative, technical and physical safeguards that are appropriate to the company’s size and complexity, as well as the nature and scope of its activities. Government-sponsored enterprises Fannie Mae and Freddie Mac announced information security requirements that went into effect in September 2025. Fannie’s requirements are published in its Information Security and Business Resiliency Supplement, requiring lenders, servicers and third-party originators (TPOs) to maintain robust information security and data protection programs. Freddie’s requirements for information security and business continuity planning are published in sections 1301 and 1302 of its seller/servicer guide. ⊲ First Line: Operational teams implement access controls, security settings and protocols for internal and vendor systems ⊲ Second Line: Policy and compliance teams set standards, monitor controls and report cybersecurity risks to leadership ⊲ Third Line: Independent auditors assess overall risk framework effectiveness and certify compliance with industry standards
18
Scotsman Guide | February 2026
Made with FlippingBook interactive PDF creator