On September 30, 2024, the Federal Housing Administration (FHA) published a draft Mortgagee Letter (ML) with updated cyber incident reporting requirements and a call for interested stakeholders to provide feedback to the draft ML through October 30, 2024.
In the draft ML, the FHA proposes to:
- Update the current triggers for reporting cyber events to the Department of Housing and Urban Development (HUD) by tying reporting to a newly defined term, “Reportable Cyber Incident.”
- Extend the reporting timeline from 12 hours to 36 hours.
Current reporting requirements
As detailed in our May 2024 client alert, ML 2024-10 requires FHA-approved Mortgagees to report certain cyber incidents to HUD within 12 hours of detection. The current reporting requirements define a “Significant Cyber Incident” in exceptionally broad terms, encompassing incidents that either:
- Actually or potentially jeopardize the confidentiality, integrity, or availability of information or an information system.
- Constitute a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and have the potential to directly or indirectly impact an FHA-approved Mortgagee’s ability to meet its obligations under applicable FHA program requirements.
‘Cyber Incident’ and ‘Reportable Cyber Incident’
The draft ML would replace ML 2024-10’s “Significant Cyber Incident” standard with two newly defined terms that clarify and narrow the scope of cyber incidents that fall within the reporting requirements. The draft ML defines a “Cyber Incident” as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. The draft ML goes on to define the term “Reportable Cyber Incident” as a cyber incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, an FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured mortgages.
In contrast to ML 2024-10’s current reporting requirements that apply to incidents that have the potential to impact a Mortgagee’s information system, the draft ML proposes to require reporting of incidents that result in actual harm to information systems and data and also result (or are reasonably likely to result) in a material disruption or degradation of the Mortgagee’s origination or servicing obligations for FHA-insured mortgages. These new definitions tie the reporting requirements more clearly to a Mortgagee’s ability to meet its FHA obligations, rather than serving as a broader blanket notification requirement.
Extended reporting timeline
The draft ML also proposes extending the required time frame for notifying HUD of reportable incidents from the current 12 hours to 36 hours. However, the draft ML notes that “FHA Mortgagees [should] continue the effective practice of providing same-day notification to HUD when a Reportable Cyber Incident occurs.”
Notably, the proposed 36-hour requirement is triggered upon a Mortgagee determining that a “Reportable Cyber Incident” has occurred. When read in context of the proposed definition of “Reportable Cyber Incident,” the draft ML arguably permits time to conduct a reasonable investigation to determine whether:
- There has been actual harm to the confidentiality, integrity, or availability of information systems or data.
- The incident has or is likely to materially disrupt or degrade a Mortgagee’s ability to meet its origination or servicing obligations for FHA-insured mortgages.
Impact and invitation for comment
The updated definitions and timelines in the draft ML are not yet finalized, so Mortgagees should continue following ML 2024-10’s reporting requirements, which still apply. HUD is accepting feedback on the draft ML through October 30, 2024, and interested parties can submit their comments to sffeedback@hud.gov.
[View source.]
