In early December, FHA published Mortgagee Letter 2024-23 (ML 2024-23) to revise the Cyber Incident reporting requirements for FHA-approved lenders. Earlier this year in May, FHA published Mortgagee Letter 2024-10 (ML 2024-10) to add Cyber Incident reporting requirements to FHA-approved lender’s responsibilities. ML 2024-10 added to the FHA Single Family Housing Policy Handbook a definition of a Cybersecurity Incident, a standard for reporting an incident to FHA, and the required documentation that must be provided along with the report. You can review our prior article on ML 2024-10 here.
The more recent ML 2024-23 published in December revises the previous standard for reporting from “within 12 hours of detection” to “as soon as possible and no later than 36 hours after the Mortgagee has determined that a Reportable Cyber Incident has occurred.” The new revision also changes the term used by the FHA and in its handbook from “Significant Cybersecurity Incident” to “Reportable Cyber Incident” and its definition.
According to the revised definition, a “Reportable Cyber Incident” is a cyber incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured Mortgages.
The stated goal for the new requirements is to align the FHA and HUD with the requirements of other banking agencies. The requirement for reporting will assist HUD and FHA in defending their systems against any potential disruption from any specific incident.
Note also the new requirements coincide with a proposed rulemaking by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency requiring “covered entities” implement cybersecurity incident reporting to the DHS, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
