HUD, SEC Issue Updates on Cybersecurity Incident Reporting

HUD and SEC each recently issued updates to their cybersecurity incident reporting requirements.

Both agencies previously issued rules on how certain regulated entities must promptly report to the agency if they experience a cybersecurity breach.  HUD’s update requires FHA-approved mortgagees that have experienced a significant cybersecurity incident to report it by email to HUD’s FHA Resource Center and HUD’s Security Operations Center within 12 hours of detection.  The update also lists the information which they must include in that report.

Under the SEC’s rules, public companies are required to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.  The SEC’s update clarifies that if a company chooses to disclose an incident where the company has either not yet made a determination of materiality or has determined such event was not material, the company should report the incident under a different part of Form 8-K, such as Item 8.01, in order to avoid investor confusion.