In This Article
- The Regulatory Landscape in 2026
- Five Pillars of a Compliant IT Framework
- The Cost of Getting It Wrong
- Building the Evidence Trail Examiners Want
- Common Gaps That Trigger Findings
- NIST CSF 2.0 vs. CIS Controls vs. CISA CPGs
- Why In-House IT Alone Isn't Enough
- A 90-Day IT Framework Hardening Plan
- Frequently Asked Questions
A single failed FFIEC examination costs the average mortgage company between $50,000 and $250,000 in remediation. That figure doesn't count the operational drag while your team scrambles to fix findings instead of closing loans. The FFIEC sunset its Cybersecurity Assessment Tool (CAT) on August 31, 2025, pushing lenders toward NIST CSF 2.0 and CIS Controls as the new baseline. If your IT framework hasn't caught up, examiners will notice.
Building a compliant IT framework isn't about checking boxes on a spreadsheet once a year. It's about wiring compliance into the infrastructure so your systems stay audit-ready between examinations, not just during them.
This guide breaks down what mortgage IT teams need to build, maintain, and prove to regulators in 2026.
The Regulatory Landscape Mortgage Companies Face in 2026
Mortgage companies operate under overlapping federal and state regulations. The Dodd-Frank Act, RESPA, TILA, HMDA, and the Gramm-Leach-Bliley Act (GLBA) set the federal floor. State regulators add their own layers. The FTC Safeguards Rule, updated in 2023 and enforced aggressively since, requires specific technical controls that many lenders still haven't fully implemented.
The biggest shift in 2025-2026 is the post-CAT compliance framework. The FFIEC retired the CAT and now points institutions toward three alternatives:
- NIST Cybersecurity Framework 2.0 with its six core functions: Govern, Identify, Protect, Detect, Respond, Recover
- CISA Cybersecurity Performance Goals (CPGs) including sector-specific targets for financial services
- CIS Controls v8.1 providing prioritized technical safeguards ranked by implementation group
Fannie Mae added to the pressure with its Information Security and Business Resiliency Supplement, fully enforceable since August 2025. Sellers and servicers now need documented business continuity plans that specifically address cyber incidents, multi-factor authentication, least-privilege access, and a 36-hour incident reporting deadline to Fannie Mae after identifying any cybersecurity event. Technology service providers had until December 31, 2025; document custodians have until April 1, 2026.
Five mortgage companies disclosed data breaches in early 2026 alone. Cornerstone First Mortgage reported SSN exposure from a 2023 breach only discovered in September 2025. Mortgage Educators and Compliance (MEC) found a rogue script siphoning credit card data through a hijacked Google Analytics account — 24,000 individuals affected. Figure Technology Solutions lost 12,400 loan inquiry records to a phishing attack. These are not theoretical risks. They are happening to companies that assumed their frameworks were adequate.
For mortgage IT teams, this means the framework you built around the CAT five years ago is now outdated. Examiners expect to see alignment with one of the FFIEC-endorsed frameworks, documented risk assessments, and evidence of continuous monitoring.
Five Pillars of a Compliant Mortgage IT Framework
A compliant IT framework for mortgage companies rests on five pillars. Skip one, and the whole structure wobbles during an exam.
1. Identity and Access Management
Every compliance framework starts with controlling who can access what. For mortgage companies handling borrower PII, Social Security numbers, and financial records, weak access controls are the fastest path to a finding.
The technical requirements include:
- Multi-factor authentication (MFA) on all systems that touch borrower data, including your LOS, document management, and email
- Conditional Access policies that block legacy authentication protocols and enforce device compliance
- Role-based access control (RBAC) so loan officers see loan data, not payroll records
- Privileged access management for admin accounts, with time-limited elevation and full audit logging
Microsoft Entra ID handles all four when configured correctly. The gap most lenders face isn't missing tools. It's incomplete configuration. Your tenant has the capabilities. The question is whether someone has turned them on and tested them.
2. Data Protection and Encryption
The FTC Safeguards Rule explicitly requires encryption of customer information both in transit and at rest. That means TLS 1.2 or higher for all data transmission and AES-256 encryption for stored data.
Practical steps for mortgage companies:
- Enable BitLocker on all endpoints through Intune device compliance policies
- Configure Data Loss Prevention (DLP) policies in Microsoft Purview to prevent borrower SSNs and account numbers from leaving the organization via email or file sharing
- Set sensitivity labels for loan documents so they're encrypted and tracked throughout their lifecycle
- Verify your LOS vendor's encryption standards. If Encompass or Calyx data transits unencrypted between your network and their cloud, that's a finding waiting to happen.
Your Compliance Framework Has a February Deadline
Fannie Mae's cybersecurity supplement is now fully enforceable. Document custodian requirements take effect April 1, 2026. If your IT framework hasn't been updated since the FFIEC CAT sunset, examiners will notice the gap at your next review.
3. Continuous Monitoring and Threat Detection
Annual penetration tests aren't enough anymore. The NIST CSF 2.0 Detect function expects continuous monitoring with automated alerting. For mortgage companies, that means real-time visibility into:
- Sign-in anomalies and impossible travel detections
- Changes to Conditional Access policies or admin role assignments
- External sharing of sensitive documents
- Endpoint compliance drift (devices falling out of compliance with Intune policies)
- Email authentication failures (SPF, DKIM, DMARC)
Microsoft Defender for Office 365 and Defender for Endpoint provide the detection layer. Microsoft Sentinel can aggregate alerts across your environment. The challenge for mid-size lenders is having someone watching the dashboard. Alerts that fire into an unmonitored inbox are worse than no alerts at all because examiners will ask to see your response logs.
4. Incident Response and Business Continuity
Fannie Mae's 2025 supplement now requires documented incident response plans that specifically address cyber events. Examiners want to see three things:
- A written incident response plan that names roles, escalation procedures, and communication templates
- Tabletop exercises conducted at least annually, with documented results and corrective actions
- Backup and recovery testing proving you can restore loan data and resume operations within your stated recovery time objective (RTO)
The common failure point is testing. Many lenders have an incident response plan in a binder on a shelf. They've never run it. When examiners ask "When did you last test your IR plan?" the answer can't be "never."
5. Vendor Risk Management
Mortgage companies rely on dozens of third-party vendors: LOS platforms, credit bureaus, appraisal management companies, document preparation services, and IT providers. Each vendor with access to borrower data extends your compliance boundary.
A compliant vendor management program includes:
- Due diligence questionnaires for every vendor with data access
- Annual SOC 2 report reviews (or equivalent attestations)
- Contractual requirements for breach notification timelines
- Access reviews confirming vendors only reach systems they need
The FFIEC's updated guidance specifically calls out concentration risk. If your LOS, email, file storage, and security tools all run on the same cloud provider, examiners want to see how you've assessed and mitigated that concentration.
The Cost of Getting It Wrong
Compliance failures in mortgage lending carry compounding consequences. The direct costs are measurable. The indirect costs — operational disruption, reputational damage, lost business — are harder to quantify but often larger.
That $6.08 million figure includes detection, notification, lost business, and post-breach response costs. But for mortgage companies, the damage extends further:
- Examination findings require documented remediation plans with deadlines. Your IT team stops building and starts fixing. Loan officers wait for system changes.
- FTC enforcement under the Safeguards Rule can impose penalties up to $43,000 per day for consent order violations. The FTC also requires breach notification within 30 days for incidents affecting 500+ consumers.
- Warehouse lender requirements are tightening. Some warehouse lenders now require cybersecurity attestations before extending credit lines. A failed exam can restrict your funding sources.
- GSE compliance is now non-negotiable. Fannie Mae's 36-hour incident reporting deadline means a breach that would have been quietly managed now becomes an immediate disclosure obligation.
The average breach lifecycle in financial services is 241 days from intrusion to containment — a nine-year low, but still eight months of undetected exposure. For mortgage companies without mature detection capabilities, the actual lifecycle is likely longer. Cornerstone First Mortgage's 2023 breach wasn't discovered until September 2025 — more than two years of exposure before anyone noticed.
"The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats. CSF 2.0 is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve."
Laurie E. Locascio, NIST Director, on the release of NIST CSF 2.0
Building the Evidence Trail Examiners Actually Want
Compliance isn't just about having controls. It's about proving they work. The IT framework needs to generate evidence automatically because manual compliance tracking breaks down at scale.
Automated Compliance Reporting
Microsoft 365 compliance tools can generate most of the evidence examiners request. The key reports include:
- Microsoft Secure Score trending over time (shows continuous improvement, not just point-in-time snapshots)
- Conditional Access sign-in logs showing MFA enforcement rates and blocked legacy auth attempts
- DLP policy match reports demonstrating you're catching and blocking sensitive data leaks
- Device compliance reports from Intune showing encryption status, OS patch levels, and policy adherence
- Audit logs for admin actions, mailbox access, and SharePoint/OneDrive external sharing
The trick is setting up these reports before an exam, not scrambling to pull them when you get the notification letter. Build a monthly compliance dashboard that your CISO or compliance officer reviews. That review itself becomes evidence of governance.
Policy Documentation That Passes Muster
Examiners read policies. They compare what the policy says to what the system actually does. The fastest way to fail an exam is having a policy that describes controls you haven't implemented.
Write policies that match your actual environment. If your policy says "all endpoints are encrypted" but Intune shows 15% non-compliant devices, that's a finding. Update the policy to reflect reality, then close the gap.
Essential policy documents for mortgage companies:
- Information Security Policy (umbrella document covering all controls)
- Acceptable Use Policy
- Incident Response Plan
- Business Continuity and Disaster Recovery Plan
- Vendor Management Policy
- Data Classification and Handling Policy
- Change Management Policy
Fannie Mae's Information Security and Business Resiliency Supplement is now fully enforceable for sellers and servicers. Document custodians face an April 1, 2026 compliance deadline. The supplement requires a formal Information Security Program aligned with NIST or ISO 27001, multi-factor authentication, least-privilege access, regular account reviews, and a 36-hour incident reporting deadline. Mortgage companies that haven't updated their documentation since 2024 are already out of compliance.
Common IT Framework Gaps That Trigger Examination Findings
After working with hundreds of mortgage companies on compliance readiness, certain patterns emerge. These gaps show up repeatedly across lenders of all sizes.
Legacy Authentication Still Enabled
Legacy authentication protocols (POP3, IMAP, SMTP basic auth) bypass MFA entirely. Microsoft has deprecated them, but many tenants still allow them for "that one application" or "that one executive's old email client." Examiners check. Block legacy auth through Conditional Access. No exceptions.
No Centralized Logging
Loan officer workstations generate security events. Your LOS generates audit logs. Your email system generates sign-in data. If none of it feeds into a centralized view, you can't demonstrate the continuous monitoring that NIST CSF 2.0 requires. Microsoft Sentinel or a similar SIEM tool centralizes these feeds.
Patch Management Gaps
The FTC Safeguards Rule requires timely patching. "Timely" in practice means critical patches within 14 days, high-severity within 30 days. Intune can enforce Windows Update compliance deadlines. The problem arises with line-of-business applications your LOS vendor patches on their own schedule.
Missing or Stale Risk Assessments
Every compliance framework requires a current risk assessment. "Current" means updated annually at minimum, or whenever significant changes occur (new LOS platform, office relocation, acquisition). A risk assessment from 2022 won't satisfy a 2026 examiner.
Inadequate Training Documentation
Staff training on security awareness and compliance is required by GLBA and the FTC Safeguards Rule. The gap isn't usually the training itself. It's the documentation. Keep completion records, test scores, and training dates in a system you can query when examiners ask.
NIST CSF 2.0 vs. CIS Controls vs. CISA CPGs: Which Framework Fits Your Lender
With the CAT retired, mortgage companies must choose a replacement framework. Each option serves a different organizational profile.
| Dimension | NIST CSF 2.0 | CIS Controls v8.1 | CISA CPGs 2.0 |
|---|---|---|---|
| Best for | Mid-to-large lenders with compliance staff | Smaller lenders wanting prioritized quick wins | Lenders needing minimal-baseline coverage |
| Structure | 6 functions, 22 categories, 106 subcategories | 18 controls, 153 safeguards in 3 implementation groups | 37 cross-sector goals + sector-specific additions |
| Adoption rate (FIs) | 81% partial or full | Wide but less documented | 9% as primary framework |
| Examiner recognition | Highest — FFIEC primary recommendation | Accepted by most examiners | Growing but newer |
| Implementation effort | High — requires mapping to your environment | Medium — prescriptive and actionable | Low — designed as floor, not ceiling |
| Regulatory mapping | Strong — maps to FFIEC, GLBA, FTC, SOX | Good — maps to NIST CSF, PCI DSS | Limited — newer framework |
Most financial institutions will end up with NIST CSF 2.0 as the primary framework, supplemented by CIS Controls for implementation prioritization. The CIS Controls' three implementation groups (IG1, IG2, IG3) provide a natural roadmap: IG1 covers essential cyber hygiene that every lender needs, IG2 adds controls for organizations managing sensitive data, and IG3 covers advanced threats. A mid-size mortgage company should target IG2 compliance as the baseline.
Whichever framework you choose, document the decision, the rationale, and the mapping to your specific regulatory obligations. Examiners don't require a specific framework. They require a defensible choice backed by evidence.
The MSP Factor: Why In-House IT Alone Isn't Enough
Mid-size mortgage companies face a staffing problem. A full compliance program requires expertise in identity management, endpoint security, data protection, incident response, and vendor management. That's five specialties. Most lenders have an IT team of one to three people.
A managed service provider (MSP) with financial services expertise fills the gap. The right MSP brings:
- Pre-built compliance configurations for Microsoft 365 that map to NIST CSF 2.0 and CIS Controls
- 24/7 monitoring that your two-person IT team can't provide
- Exam preparation support including evidence gathering, policy review, and examiner response coordination
- Continuous hardening that adapts as Microsoft releases new security features and as regulations change
The cost of a compliance-focused MSP is typically less than one additional full-time security engineer. The ROI becomes obvious the first time you pass an exam without findings. For mortgage companies navigating the post-CAT framework transition, going beyond Microsoft Secure Score with a managed security program provides the operational context that turns compliance metrics into actual security posture.
A 90-Day IT Framework Hardening Plan
If your current framework has gaps, here's a prioritized 90-day plan to close the most common ones.
Days 1-30: Identity and Access
- Enable MFA for all users, including service accounts where possible
- Block legacy authentication via Conditional Access
- Audit admin role assignments and remove unnecessary privileged access
- Implement named Conditional Access policies (not just defaults) for each user group
Days 31-60: Data Protection and Monitoring
- Enable BitLocker enforcement through Intune compliance policies
- Deploy DLP policies targeting SSNs, account numbers, and loan application data
- Configure Microsoft Defender alerting and assign response owners
- Set up centralized audit logging with 180-day minimum retention (Microsoft extended E3 audit retention from 90 to 180 days in October 2023)
Days 61-90: Documentation and Testing
- Write or update your Information Security Policy to match actual controls
- Conduct a tabletop incident response exercise
- Test backup restoration and document RTO/RPO results
- Complete vendor risk assessments for your top 10 data-access vendors
- Build your monthly compliance dashboard in Power BI or Guardian Security Insights
How Does Your IT Framework Measure Up?
The FFIEC CAT is gone. Fannie Mae's cybersecurity supplement is enforceable. If your IT framework was built around the old assessment model, gaps are already accumulating. A 30-minute compliance gap assessment identifies where your framework stands against NIST CSF 2.0 requirements — before your next examiner does.
Frequently Asked Questions
The FFIEC retired the CAT on August 31, 2025 and now endorses three alternatives: NIST Cybersecurity Framework 2.0, CISA Cybersecurity Performance Goals, and CIS Controls v8.1. Mortgage companies should align with at least one of these frameworks and document their risk assessments against its control categories. Examiners expect to see framework alignment in your next examination cycle.
The FTC Safeguards Rule requires mortgage companies to implement specific technical controls including encryption of customer data in transit and at rest, multi-factor authentication on all systems accessing customer information, continuous monitoring, and a written incident response plan. Non-compliance can result in FTC enforcement actions and state-level penalties that compound across jurisdictions.
A institution's incident response plan must include named roles and responsibilities, escalation procedures with contact information, communication templates for regulators and affected borrowers, evidence preservation procedures, and recovery steps with documented recovery time objectives. The plan requires annual tabletop testing with documented results and corrective actions tracked to completion.
Mortgage companies should update IT risk assessments at least annually and whenever significant changes occur. Significant changes include deploying a new LOS platform, migrating to cloud infrastructure, opening or closing branch offices, merging with another company, or experiencing a security incident. A risk assessment older than 12 months will draw examiner scrutiny during any regulatory review.
The most common findings include legacy authentication protocols still enabled, missing or stale risk assessments, inadequate patch management documentation, lack of centralized security logging, incomplete vendor risk management programs, and policies that describe controls not actually implemented. Addressing these six areas before an examination eliminates the majority of typical findings for mortgage companies.
