FHA issues reporting requirements on significant cybersecurity incidents | Orrick, Herrington & Sutcliffe LLP

On May 23, HUD issued Mortgagee Letter (ML) 2024-10 titled “Significant Cybersecurity Incident (Cyber Incident) Reporting Requirements” which required FHA-approved mortgagees to notify HUD when a “Cyber Incident” occurs. A Cyber Incident would be any unauthorized event that could harm information or computer systems, breaching security rules, and affecting a mortgagee’s ability to meet FHA program requirements. It also would include actions that threaten data confidentiality, integrity, or availability, potentially disrupting mortgage operations. Mortgagees must report all suspected Cyber Incidents to HUD’s FHA Resource Center and Security Operations Center within 12 hours of detection. The report must include several details, including the mortgagee’s name and ID, contact information, a description of the incident (including the date, cause, and impact to PII, login credentials, and IT systems), any affected subsidiary or parent companies, and the status of the mortgagee’s incident response, including whether law enforcement has been notified. The provisions of this ML are effective immediately and will be reflected in a forthcoming update to the HUD Handbook 4000.1.