On May 23, 2024, the U.S. Department of Housing and Urban Development (“HUD”) issued requirements, effective immediately, for all FHA-approved mortgagees to report certain cyber incidents to HUD within 12 hours of detection. The new reporting requirement doesn’t appear in a statute or regulation, but in Mortgagee Letter 2024-10. For those not familiar, “Mortgagee Letters” are issued by HUD to inform lenders about FHA “operations, policies, procedures, and changes,” and can be incorporated into the FHA Single Family Housing Policy Handbook, which is a single, comprehensive resource to guide lenders through the rules and requirements that apply to the FHA mortgage process.

This post addresses (i) who has to comply with the new reporting requirement, (ii) what has to be reported (ii) when a cyber incident has to be reported, and (iv) how to report to HUD.   It also offers key considerations for organizations subject to the new reporting requirement.

Who is required to comply with the new HUD cyber incident reporting requirements?

All FHA-approved mortgagees are required to comply which includes all direct endorsement underwriters, HUD-certified housing counselors, real estate brokers, and closing agents (“Mortgagees”). Mortgagee Letter 2024-10 will amend the forthcoming update of the HUD Handbook 4000.1, FHA Single Family Housing Policy Handbook.

What cyber incidents must be reported?

The Mortgagee Letter requires Mortgagees to notify HUD when a “Significant Cybersecurity Incident” is detected. A Significant Cybersecurity Incident (“Cyber Incident”) is defined as any event that:

• Actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or
• Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Mortgagee’s ability to meet its obligations under applicable FHA program requirement.

When must a cyber incident be reported?

Any Mortgagee that has experienced an actual or suspected Cyber Incident must report the incident to HUD “within 12 hours of detection.”

How is a Cyber Incident report made to HUD?

Cyber Incidents must be reported to HUD by email to both to the FHA’s Resource Center and HUD’s Security Operations Center. The report must include detailed information about the Cyber Incident, including:

• mortgagee name and ID;
• contact information for mortgagee’s point of contact for follow up activities;
• description of the Cyber Incident, including, if known date and cause of Cyber Incident, impacts to personally identifiable information, login credentials, and IT systems architecture, list of any impacted subsidiary or parent companies, and description of the current status of the mortgagee’s cyber incident response, including whether law enforcement has been notified.

Key considerations for Mortgagees

The Mortgagee Letter announcing the new cyber incident reporting requirement is brief but packs a large punch.

Most notable is the very short 12-hour reporting timeframe. That reporting timeframe stands out against the patchwork of U.S. data breach notification laws, as by far the shortest timeframe, and is also notable because its clock starts to run 12 hours from “detection” of an incident, and not from the time the incident is determined to be trigger the reporting requirement. In practice, 12 hours is an extremely tight turnaround from the time a Cyber Incident is detected, and many organizations will be challenged to launch their incident response process and gather enough detail about the incident to report the requested information to HUD.

The reporting requirement also applies to a broad set of incidents that would not typically trigger notification obligations under other laws, including “suspected incidents” and incidents that do not impact sensitive or otherwise personally identifiable information. To that end, Mortgagees are required to report both violations and “imminent threat[s] of violation” of security policies that directly or indirectly impact its ability to meet FHA program obligations.

Following HUD’s issuance of the Mortgagee Letter, the American Bankers Associate, the Bank Policy Institute, and the Housing Policy Council (the “Associations”) sent a joint letter to the FHA on June 21 requesting that the Mortgagee Letter be withdrawn. The Associations asserted that the Letter “contains wide-ranging and rapid requirements for cyber incident reporting that are simply not achievable and will present considerable compliance challenges for FHA-approved mortgagees.” The Associations specifically noted the “impractical” definition of the term “Significant Cybersecurity Incident” and the 12-hour reporting timeframe.

Unless the Associations’ bid for HUD to withdraw the Mortgagee Letter succeeds, or HUD otherwise does away with the new reporting requirements, Mortgagees should take the following steps to meet those new requirements:

1. Revise your incident response program to incorporate the categories of Cyber Incidents outlined in the Mortgagee Letter.
2. Ensure you have real-time monitoring capabilities to be in a position to quickly initiate your incident response processes once an incident is detected. 
3. Ensure incidents are appropriately escalated to those with authority to evaluate the incident and notify HUD within 12 hours. The last thing you want to be doing under time pressure is trying to locate an individual with authority to confirm whether an incident falls within the reporting requirement and to send the required notice.
4. Check, and amend as necessary, your third-party service provider contracts. These contracts should hopefully already include notification deadlines for the service providers to report cybersecurity incidents.  But in light of the new reporting requirements, now would be a good time to review, and if necessary, amend the contracts to align the service providers’ notification deadlines with your reporting obligations under the Mortgagee Letter.