HUD ML Clarifies Cyber Incident Reporting Requirements

Earlier this month, Mortgagee Letter (ML) 2024-10 previewed the policy changes that will be incorporated into Handbook 4000.1, including providing the distinction between a cyber incident and a cyber incident necessitating reporting as well as the timing and documentation requirements for reporting such incidents.  This ML is effective immediately.

Specifically, a cyber incident is defined as, “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”  However, a reportable cyber incident refers to one that, “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured Mortgages.” 

The ML further clarifies that FHA-approved Mortgagees facing a reportable cyber incident are encouraged to report such incidents to HUD’s FHA Resource center as soon as detected, but “no later than 36 hours,” after it has been determined a reportable incident occurred.

Lastly, the ML requires Mortgagee’s reporting cyber incidents provide all relevant contact information necessary for coordinating follow-up activity between the Mortgagee and the HUD FHA Resource center, including Mortgagee’s name, email address and phone number.

This updated ML comes after HUD invited Stakeholder input on cyber incidents earlier this year.  WBK’s coverage of earlier input is available here.