What Are the Updated HUD Cyber Incident Reporting Requirements for Lenders?

In December 2024, the U.S. Department of Housing and Urban Development (HUD) issued Mortgagee Letter 2024-23, updating its cyber incident reporting requirements for Federal Housing Administration (FHA)-approved mortgagees. These changes are part of a broader effort to strengthen cybersecurity practices and protect the integrity of FHA programs from evolving cyber threats. Below is a detailed guide to understanding these new requirements.

Defining a Reportable Cyber Incident

HUD defines a Cyber Incident as any event that compromises the confidentiality, integrity, or availability of an information system or its data. A Reportable Cyber Incident specifically refers to an event that disrupts or is likely to disrupt a mortgagee’s ability to originate or service FHA-insured mortgages. Examples include breaches involving personally identifiable information (PII), ransomware attacks, and unauthorized access to systems.

Reporting Timeline and Procedures Under the new guidelines, mortgagees must notify HUD of a Reportable Cyber Incident as soon as possible, but no later than 36 hours after determining that such an incident has occurred. Prompt reporting ensures that HUD can take necessary actions to safeguard its systems and provide assistance to affected entities.

To report an incident, mortgagees must send notifications to both:

a) HUD’s FHA Resource Center at answers@hud.gov

b) HUD’s Security Operations Center at cirt@hud.gov

The notification must include:

a) Mortgagee Name: The official name of the entity.

b) Mortgagee ID: Identification number assigned by HUD.

c) Contact Information: Name, email, and phone number of the designated point of contact.

d) Incident Description: Details such as the date, cause, impact on systems, effect on PII or credentials, and any affected subsidiaries.

e) Response Status: Current efforts to address the incident, including whether law enforcement has been notified.

Alignment with Federal Standards

The 36-hour reporting requirement aligns with standards set by federal banking agencies, ensuring consistency across financial institutions. This timeline underscores the critical importance of rapid response to cyber threats, minimizing potential damage to systems and data.

Implications for Mortgagees

To comply with these requirements, FHA-approved mortgagees must:

a) Enhance Internal Policies: Update cybersecurity protocols to ensure incidents are detected and evaluated promptly.

b) Establish Incident Response Plans: Develop clear procedures for addressing and reporting cyber incidents.

c) Invest in Training: Equip employees with the knowledge to identify and respond to cyber threats effectively.

Failure to comply with these requirements could result in regulatory penalties and jeopardize the mortgagee’s ability to participate in FHA programs.

Key Takeaways for Lenders

HUD’s updated cyber incident reporting requirements highlight the growing importance of cybersecurity in the housing finance sector. These changes aim to:

a) Enhance the resilience of FHA programs.

b) Protect sensitive borrower and operational data.

c) Foster a proactive approach to managing cyber risks.

Conclusion

Mortgagees should view these updated requirements as an opportunity to strengthen their cybersecurity frameworks. By adhering to the 36-hour reporting rule and implementing robust incident response measures, lenders can safeguard their operations while contributing to the overall security of the housing finance system. For more details, consult the full text of Mortgagee Letter 2024-23 on HUD’s website.

Source:https://www.hud.gov/sites/dfiles/OCHCO/documents/2024-23hsgml.pdf?utm_medium=email&utm_source=govdelivery