FHA Requiring Reporting of Significant Cybersecurity Incidents

Richard Andreano Jr.
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

In Mortgagee Letter 2024-10, FHA announced a requirement for FHA approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents. The Mortgagee Letter, which is dated May 23, 2024, provides that the requirement is effective immediately.

For purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”

FHA lenders that experience a suspected Cyber Incident must report the Cyber Incident to HUD’s FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov within 12 hours of detection. Reports must include the following information:

  • Lender name
  • Lender ID
  • Name, email address, and phone number of lender’s point of contact for Security Operations Center follow-up activities;
  • Description of the Cyber Incident, including the following, if known:
    • Date of Cyber Incident
    • Cause of Cyber Incident
    • Impact to Personally Identifiable Information
    • Impact to login credentials
    • Impact to Information Technology (IT) system architecture
  • List of any impacted subsidiary or parent companies
  • Description of the current status of the lender’s Cyber Incident response, including whether law enforcement has been notified

The Mortgagee Letter does not include a definition of “Personally Identifiable Information.” The HUD Privacy Handbook provides that pursuant to “the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” The HUD Privacy Handbook sets forth a non-exclusive list of information that may constitute PII on its own or in combination with other information.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide