MGIC's Privacy Statement

MGIC Investment Corporation, through its subsidiaries, including Mortgage Guaranty Insurance Corporation ("MGIC"), MGIC Assurance Corporation, MGIC Credit Assurance Corporation, and MGIC Investor Services Corporation (collectively, the "MGIC Companies"), provides mortgage guaranty insurance and other products and services to mortgage lenders, investors and loan servicers.

Collection of Consumer Information

In the course of providing products and services to your company, you may provide us with confidential information about your company and we may independently obtain or receive from your company, lenders, loan brokers, correspondents, consumer reporting agencies and other unaffiliated third parties certain personal and financial information concerning consumers, including nonpublic personal information, as such term is defined in Title V of the Gramm-Leach-Bliley Act and regulations promulgated pursuant to that Act, and customer information and sensitive customer information, as defined in the Interagency Guidelines Establishing Information Security Standards ("Security Guidelines") and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ("Guidance") adopted jointly by the FDIC, FRB, OCC and OTS (collectively, "confidential information"). Confidential information about consumers collected by MGIC in connection with providing mortgage guaranty insurance includes loan application information, transaction information, such as payment history data, credit information and information related to property owned by consumers. Confidential information collected by other MGIC Companies in connection with providing other services will depend on the nature of the services provided, as described in the contract for the services.

We may retain confidential information as reasonably required in the ordinary course of our business and in compliance with applicable law. Confidential information, whether in paper or electronic format, including consumer information and customer information, will be properly disposed of in accordance with the requirements of the Security Guidelines, the Fair and Accurate Credit Transactions Act of 2003 and the related regulations, when retention is no longer required by the applicable MGIC Company.

Use and Disclosure of Consumer Information

It is the policy of the MGIC Companies to comply with all laws and regulations concerning use and disclosure of confidential information, including the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and related regulations.

The MGIC Companies may disclosure confidential information (a) to their affiliates, (b) to third parties as may be reasonably necessary to effect, administer or enforce insurance transactions, (c) to consumer reporting agencies in accordance with applicable law, (d) with the consent or at the request of your company or the consumer to whom the confidential information relates, and (e) as permitted or required by applicable law, including without limitation, pursuant to the provisions of the Security Guidelines, the Guidance, Section 502(e) of Title V of the Gramm-Leach-Bliley Act and federal and state regulations implementing such provisions. The MGIC Companies do not disclose confidential information to third parties for marketing purposes or under other circumstances that would require either that prior notice be given to the consumer or that the consumer be afforded an opportunity to opt out of such disclosure under the provisions of the Gramm-Leach-Bliley Act and related regulations.

In the case of non-insurance services, the MGIC Companies disclose confidential information to their respective clients and to such other unaffiliated third parties to whom disclosure is requested or authorized by such clients, and use confidential information only as described in the contract for services. Contracts for non-insurance services typically include provisions requiring the MGIC Companies to maintain confidentiality of information.

Consultants, subcontractors or other unaffiliated third parties who are given access to confidential information in connection with services performed for the MGIC Companies will be subject to information security risk assessment and monitoring. Such third parties will be required to sign confidentiality agreements restricting use and disclosure of confidential information to the persons who have a need to know the information in connection with the consulting assignment or service engagement, and requiring that the recipients safeguard confidential information in accordance with the Security Guidelines and our information security program, and report incidents of unauthorized access of confidential information to the MGIC Companies consistent with the Guidance.

Protection of Consumer Information

The MGIC Companies have implemented and maintain a comprehensive information security program to protect the security, confidentiality and integrity of confidential information in accordance with the objectives of the Security Guidelines and Guidance. As part of our program, the MGIC Companies have adopted and agree to maintain policies and practices designed to:

• ensure the security and confidentiality of confidential information;
• protect against any anticipated threats or hazards to the security or integrity of confidential information; and
• protect against unauthorized access to or use of confidential information that could result in substantial harm or inconvenience to any consumer.

The MGIC Companies maintain physical, electronic and procedural safeguards, measures and controls for the protection, security and integrity of confidential information that are consistent with commercially reasonable standards and practices.

Security measures include access controls on computer systems, access restrictions at physical locations where confidential information is maintained, encryption of confidential information transmitted electronically, employee screening, and monitoring of security measures, both internally and in connection with confidential information disclosed to third parties, as described above.

For more information, click here to request a copy of our Information Security Program.

Monitoring of Information Security

The MGIC Companies will notify your company in writing (at such address as may be specified by your company in a written notice addressed to: MGIC Information Security Director, P.O. Box 488, 250-270 East Kilbourn Avenue, Milwaukee, Wisconsin 53201-0488) of any incident of unauthorized access to your company's customer information involving the MGIC Companies or our information systems. The notice will describe the incident, the type of customer information that was the subject of the unauthorized access or use, and the measures taken to protect the customer information from further unauthorized access.

We routinely perform risk assessments of our information security program and procedures, adopt reasonable controls designed to address the identified risks, and regularly monitor the controls using both internal and independent audits and security tests. MGIC is certified by Cybertrust Corporation. This accreditation requires quarterly reviews and an annual on-site evaluation of policies, procedures, general controls, and system testing. All findings are verified and addressed immediately by our Information Security Council. In addition, we conduct security reviews periodically and coordinate third party assessments as deemed appropriate. Internal audit findings are not made publicly available. A copy of the certificate relating to the most recent review of our system security by Cybertrust Corporation can be found here.

We will respond to reasonable requests for additional information concerning our information security program and we will cooperate with your company in order to permit you, your employees or agents, at your expense, to conduct reasonable audits at MGIC's premises of our confidential information safeguards, consistent with your company's responsibilities under the Security Guidelines and applicable banking and privacy laws and regulations, provided that you give us reasonable advance notice and your company, employees and agents agree in writing to treat any information observed and/or obtained during such audits as confidential information of the MGIC Companies and to disclose such information only to your company's directors, officers, employees, agents, regulators and examiners who need to know such information for the purposes described in this paragraph. In conducting any such audits, your company, employees and agents will not interfere with the MGIC Companies' confidentiality obligations to third parties or the protection of the integrity and security of the MGIC Companies' own confidential information. Any actual contact with our information systems in the course of such audits will be performed exclusively by our personnel, who will cooperate in good faith to provide your company, employees and agents with pertinent information.

Business Continuity

The MGIC Companies also have developed a thorough program to prevent interruptions in our business operations. Our full-time Business Continuity Coordinators are dedicated to the development and on-going testing of recovery plans for all business units within the MGIC Companies, as well as the overall network and system infrastructure. Our business continuity program includes measures designed to provide for prompt recovery of key business functions in the event of a disaster through back-up power facilities, a hot-site recovery location and co-location of high availability applications with a leading recovery services company.

The above statement sets forth our current policies with respect to confidential information regarding your company, customers and consumers. We may make changes to our policies as we determine appropriate; however, we will notify you before any change to our policy regarding sharing consumer information with unaffiliated third parties which would require notices to be given to consumers.