The Federal Housing Administration (FHA) published Mortgagee Letter 2024-10 (Letter) on May 23, 2024, requiring FHA-approved Mortgagees to report certain cyber incidents to the Department of Housing and Urban Development (HUD) within 12 hours of detection.

Reporting requirement

Mortgagees who experience a “suspected” Cyber Incident must report the incident to the FHA Resource Center and HUD’s Security Operations Center within 12 hours of detecting it. The new requirement is effective immediately.

Broad scope

The Letter defines a “Significant Cyber Incident” (Cyber Incident) in incredibly broad terms. A Cyber Incident is an event that either:

• Actually or potentially jeopardizes – without lawful authority – the confidentiality, integrity, or availability of information or an information system.
• Constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved Mortgagee’s ability to meet its obligations under applicable FHA program requirements.

This definition arguably captures a wide range of cyber activity and requires reporting for activity that may ultimately not constitute a cyber event under other incident-reporting frameworks.  Mortgagees must report “suspected” events that “potentially” jeopardize the confidentiality of information or an information system – terms that are not defined – and “suspected” events that present “imminent” – not necessarily actual – threats of a violation of a Mortgagee’s policies. Likewise, Mortgagees must report policy violations that have the “potential” to impact, directly or indirectly, the Mortgagee’s ability to meet its FHA obligations.

Impact

The Letter requires Mortgagees to provide the date of the Cyber Incident, the cause, and the impact to personal data, login credentials and information technology systems. The Mortgagee also must describe the status of its investigation and whether it has notified law enforcement.

Realistically, within the first 12 hours after discovering a cyber event, many Mortgagees may not know the actual or potential impact of the event, and a Mortgagee’s assessment of the actual or potential impact will likely change and develop over the course of its forensic investigation.

Mortgagees may not even have activated a formal incident response procedure within the first 12 hours after discovery. In practice, therefore, it is unlikely that an impacted Mortgagee will have the information needed to fully comply with FHA’s reporting standard within the required time frame.

The broad definition of Cyber Incident may trigger an influx of potentially nonmaterial cyber activity reports, making it challenging for FHA to quickly identify and address the most impactful Cyber Incidents. Additionally, the Letter requires Mortgagees to submit these reports by email to HUD’s Security Operations Center and the FHA Resource Center, the latter of which is to be notified via the Resource Center’s general inbox, which may result in longer response times for general inquiries regarding FHA’s programs.