The Federal Housing Administration (“FHA”) published Mortgagee Letter (ML) 2024-10,on May 23, 2024, to announce new cybersecurity incident reporting requirements.
An announcement regarding the new guidance, FHA INFO 2024-32, states that the new policy will be included in a future update to the Single Family Housing Policy Handbook 4000.1, under the Operational Compliance (V.A.2.b.) and Significant Cybersecurity Incident (viii.) sections of the Quality Control, Oversight, and Compliance section. However, FHA emphasizes in their announcement that the new requirements are effective immediately with the publication of ML 2024-10.
ML 2024-10 provides the definition of a “Significant Cybersecurity Incident (Cyber Incident)” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”
FHA-approved mortgagees that become aware of a potential or actual cyber incident are required to notify the Department of Housing and Urban Development (“HUD”) within 12 hours of detection through the FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov. ML 2024-10 specifies the details that must be provided in the incident report, such as the lender’s name, identification number, the lender’s point of contact, and a detailed description of cybersecurity incident. The details provided should include any known information about the nature of the cyber incident, such as the date and cause, a list of impacted subsidiary or parent companies, the status of the lender’s response to the incident, and the impact to IT systems architecture, login credentials and Personally Identifiable Information.
The announcement further states that once HUD is notified, “a representative from HUD will contact the designated representative form the institution reporting the incident to determine the appropriate mitigating steps based on the nature of the incident.”
As the number of cyberattacks continues to increase for lenders across the industry, ML 2024-10 states that the new policy is “part of HUD’s commitment to the security and integrity of all operations systems and technology.”
