As we discussed in a recent post, earlier this year the U.S. Department of Housing and Urban Development (“HUD”) issued Mortgagee Letter 2024-10, which imposed a new requirement on all FHA-approved mortgagees to report certain cyber incidents to HUD within 12 hours of detection. As our post explained, that requirement drew objections from a group of industry associations that included the American Banker’s Association, the Bank Policy Institute, and the Housing Policy Council.
It seems HUD may have been receptive to the associations’ concerns: On September 30, 2024, HUD released a draft Revised Cyber Incident Reporting Requirements Mortgagee Letter (“Draft ML”) for review and comment. The Draft ML proposes to narrow the scope of incidents that are subject to the reporting requirement and extend the reporting timeline from 12 hours to 36 hours.
In the background section of the Draft ML, HUD noted the proposed clarifications are intended to align the reporting requirements with the computer-security incident reporting established by federal banking agencies and in response to “unprecedented influx of Cyber Incidents impacting FHA Mortgagees, beginning in Fiscal Year 2023.”
The Draft ML’s Proposed Revisions to the Cyber Incident Reporting Requirements
The Draft ML replaces the previous Mortgagee Letter’s defined term “Significant Cybersecurity Incident,” which was defined to cover a broad set of incidents (including “suspected” incidents that would not typically trigger notification obligations under other laws), with the term “Reportable Cyber Incident.” Under the Draft ML, a “Reportable Cyber Incident” is one that results in actual harm and that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet is operational obligations.” The Draft ML, if adopted, would thus substantially narrow the universe of incidents that would trigger a reporting obligation to HUD as compared to the previous Mortgagee Letter.
The Draft ML also proposes that FHA-approved mortgagees report a Reportable Cyber Incident “as soon as possible and no later than 36 hours after the mortgagee has determined that a Reportable Cyber Incident has occurred.” That change would be notable both because of the extended (albeit still short) reporting timeline, but more importantly because it means that the mortgagee’s notification clock will start only when the mortgagee has determined that the incident constitutes a “Reportable Cyber Incident” that triggers the reporting requirement.
What should FHA-Approved Mortgagees Do Now?
As of the publication of this post, the Draft ML has not been issued and does not have an effective date and HUD has not withdrawn the initial Mortgagee Letter 2024-10. Accordingly, the initial Mortgagee Letter 2024-10 remains in effect and FHA-approved mortgagees are still required to report an actual or suspected “Significant Cybersecurity Incident” within 12 hours of detection.
Meanwhile, the Draft ML was posted on the Federal Housing Administration’s Single Family Drafting Table for industry and stakeholder feedback through October 30, 2024. Following the feedback period, HUD will review all received feedback comments, revise the Draft ML if necessary, and publish a final mortgagee letter. At that time, the final mortgagee letter will be effective and supersede Mortgage Letter 2024-10.
Our previous guidance to FHA-approved mortgagees will thus continue to apply during this interim period while we wait for the updated reporting timeline to be issued.
- Ensure you have real-time monitoring capabilities to be in a position to quickly initiate your incident response processes once an incident is detected.
- Ensure incidents are appropriately escalated to those with authority to evaluate the incident and notify HUD.
- Check, and amend as necessary, your third-party service provider contracts.
