FHA extends cybersecurity reporting requirement timeline from 12 to 36 hours
The Federal Housing Administration (FHA) this week published a final Mortgagee Letter (ML), 2024-23, that requires lenders to report a cybersecurity breach within 36 hours of being detected. While the FHA posted a draft version of the ML online in September to seek feedback, the agency stated that the draft is being issued as final without any changes.
The 36-hour timeline, while tight, is still an extension from prior guidance released in ML 2024-10 published in May. That proposal required lenders and other FHA program participants to report a breach within 12 hours of detection.
“Effective immediately, FHA-approved mortgagees must notify the U.S. Department of Housing and Urban Development (HUD) as soon as possible — but no later than 36 hours — after determining that a reportable cyber incident has occurred via the FHA Resource Center […] as well as HUD’s Security Operations Center,” the notice explained.
The ML is effective immediately and applies to all FHA-insured loan programs.
Since HUD serves as an “operational partner” of FHA-approved lenders and facilitates direct access to HUD systems and applications, the agency said it is “vital that HUD receive early cyber incident notifications to defend its systems, including sensitive information within, and to enable swift and collaborative dialogue between HUD’s Chief Information Security Officer and the FHA Mortgagee’s security operations official when a reportable cyber incident occurs.”
The ML seeks to align FHA’s cybersecurity incident reporting requirements with those of federal banking agencies. HUD encourages FHA-approved lenders to “continue the effective practice of providing same-day notification to HUD when a reportable cyber incident occurs,” the letter stated.
Some industry participants offered feedback that could have led to an extension of the timeline beyond 36 hours. In late October, the National Reverse Mortgage Lenders Association (NRMLA) submitted feedback via the FHA’s Single Family Drafting Table.
In its comments, NRMLA said it would be a better option to align with similar policies announced by Ginnie Mae earlier this year. The government-owned company issued an All-Participant Memorandum (APM) in March that gives issuers a timetable of 48 hours to notify the company of the relevant details related to a suspected cybersecurity breach.
In consultation with NRMLA’s HUD issues and servicing committees, its letter made a case that the ideal scenario would be greater alignment with a timetable proposed by the Office of the National Cyber Director, a division inside the White House.
FHA did not include details about why it chose to disregard the feedback it received about this proposal. The new requirement is expected to be incorporated into a future revision of the Single Family Housing Handbook 4000.1.
Mortgage companies, along with other industries worldwide, have had to reckon with an accelerating rate of cybersecurity incidents in recent years. Ransomware attacks — in which a bad actor gains access to an individual’s or organization’s digital systems, encrypts them and sells the decryption key to the victim for a price — are often the tool of choice.
Entities across the mortgage industry recently impacted by cyberattacks include American Neighborhood Mortgage Acceptance Co. LLC (dba AnnieMac), Mr. Cooper Group, First American and Fidelity National Financial Inc., the parent of servicer LoanCare.
These incidents caused the companies to temporarily shut down certain systems to contain attacks that exposed customer data. The accelerating frequency of cybercrime has many of these companies on edge.