As previously reported in May 2024 FHA announced a requirement for FHA approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents, and the requirement was effective immediately. Apparently in response to industry criticism, in Mortgagee Letter 2024-23 FHA announced revised requirements.
Originally, for purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.” Also, lenders were required to report a Cyber Incident to HUD’s FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov within 12 hours of detection.
The Mortgage Bankers Association (MBA) submitted comments to HUD critical of certain aspects of the Cyber Incident reporting requirements. In particular, MBA believed the 12 hour reporting timeframe to be “both unreasonable and impracticable.” Addressing the scope of what was considered a Cyber Incident, MBA noted that “HUD requires FHA lenders to report any incidents “potentially” affecting “information,” regardless of its relevance to FHA mortgage lending or the mortgagee’s ability to comply with FHA program requirements.”
Under the revised requirements, a Cyber Incident and Reportable Cyber Incident are defined as follows:
“A Cyber Incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
A Reportable Cyber Incident is a Cyber Incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured Mortgages.”
The concept of potential jeopardy to the confidentiality, integrity, or availability of information or an information system was removed, and the concept of a potential direct or indirect impact on a lender’s ability to meet its obligations under applicable FHA program requirements was revised. A Cyber Incident now involves only actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits, and the incident now must be reported only if it has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the lender’s ability to meet its operational obligations for originating or servicing FHA-insured loans. Thus, an incident must actually result in a material disruption or degradation in the ability of a lender to meet its operational obligations for originating or servicing FHA loans to be reportable.
Additionally, the timeframe for reporting was modified from within 12 hours of detection to “as soon as possible and no later than 36 hours after the Mortgagee has determined that a Reportable Cyber Incident has occurred.”
Also, originally the report had to include, among other information, the name, email address, and phone number of lender’s point of contact for Security Operations Center follow-up activities. As revised, the report must include the name, email address, and phone number of the lender’s point of contact for coordinating follow-up activities.