FHA Proposes Revised Cyber Incident Reporting Requirements

On September 30, 2024, FHA announced the posting to its Drafting Table of a draft Mortgagee Letter proposing updated requirements for when FHA-approved mortgagees must notify HUD when a reportable cyber incident occurs.  Among other things, the draft letter:

• Proposes to extend the timeframe to report a cyber incident to HUD from 12 hours to 36 hours, after the FHA mortgagee confirms it’s a reportable incident.
• Clarifies the definition of a reportable cyber incident to provide that it must cause actual harm to the FHA mortgagee’s ability to operationally handle FHA-insured mortgages (i.e., significantly disrupt the mortgagee’s ability to originate or service such mortgages, such as through compromising borrower data, disrupting loan processing systems, or hindering communications with borrowers).

The proposed Mortgagee Letter would supersede ML 2024-10 and will be incorporated into HUD Handbook 4000.1.  Stakeholders are invited to provide input on the proposed Mortgagee Letter through October 30, 2024.