On May 23, 2024, the U.S. Department of Housing and Urban Development (HUD) announced new cybersecurity reporting requirements for Federal Housing Administration (FHA)-approved mortgagees. Under the updated Single Family Housing Policy Handbook 4000.1, these mortgagees must now report “suspected” Significant Cybersecurity Incidents to HUD within 12 hours of detection. The new rule aims to enhance the timeliness and transparency of reporting significant cyber threats.
HUD defines a Significant Cyber Incident as an event that either jeopardizes the confidentiality, integrity, or availability of information or information systems or poses an imminent threat to the mortgagee’s compliance with FHA requirements. This broad definition encompasses various types of cyberattacks, including theft, ransomware, and DDoS attacks, as well as breaches affecting third-party service providers that could indirectly impact the mortgagee.
The reporting requirement imposes a stringent deadline, demanding detailed incident information within a very short time frame. Mortgagees are required to provide specific details, such as the date, cause, and impact of the cybersecurity incident. This could be challenging, as obtaining comprehensive information about the incident within 12 hours may be difficult for many lenders.
The broad scope of HUD’s definition of a Significant Cyber Incident and the tight reporting deadline present significant compliance challenges for mortgage lenders. To meet these new requirements, lenders must implement robust procedures to quickly assess and report cybersecurity incidents, ensuring they can meet HUD’s stringent reporting standards.
Reference:
