FHA issues immediate cybersecurity reporting requirements
The Federal Housing Administration (FHA) on Thursday published Mortgagee Letter (ML) 2024-10, outlining reporting requirements that lenders must follow if they detect a cybersecurity intrusion.
Effective immediately and applicable to all FHA-insured mortgage programs, the letter states that all lenders “that experience a potential or actual cyber incident must notify HUD via the FHA Resource Center at [email protected] and HUD’s Security Operations Center at [email protected] within 12 hours of detection with required information as outlined in the ML,” according to an announcement of the guidance.
“Once notified of an incident, representatives from HUD will contact the designated representative from the institution reporting the incident to determine the appropriate mitigation steps based on the nature of the incident,” the announcement added.
A “significant cybersecurity incident” is defined as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements,” the ML explained.
The letter also specifies the details that must be included in the incident report to HUD, such as the lender’s name, identification number, specific contact information and various details about the nature of the cybersecurity incident.
The guidance will be incorporated into a future revision of the Single Family Handbook 4000.1, but lenders must follow the guidance immediately.
Mortgage companies, along with other industries worldwide, have had to reckon with an accelerating rate of cybersecurity incidents in recent years. Ransomware attacks — in which a bad actor gains access to a target individual’s or organization’s digital systems, encrypts them and sells the decryption key to the victim for a price — are often the tool of choice.
Last month, the FBI reported that cybercrime losses rose to a record high of $12.8 billion in 2023. Mortgage lender loanDepot was heavily impacted by a cyberattack in January, which the company recently said impacted its operating performance in first-quarter 2024.
Other entities recently impacted by cyberattacks include Mr. Cooper Group, First American and Fidelity National Financial Inc., them parent of servicer LoanCare. Each of these incidents caused the companies to temporarily shut down certain systems to contain attacks that exposed customer data. The accelerating frequency of cybercrime has many of these entities on edge.