FHA mandates lenders to report significant cybersecurity incidents within 12 hours to HUD, effective immediately.
The Federal Housing Administration (FHA) has introduced a new policy requiring FHA-approved lenders to report significant cybersecurity incidents to the U.S. Department of Housing and Urban Development (HUD) within 12 hours of detection. This policy, effective immediately, was announced in Mortgagee Letter 2024-10, issued on May 23, 2024.
A “significant cybersecurity incident” is defined by the FHA as an event that actually or potentially jeopardizes the confidentiality, integrity, or availability of information within a lender’s systems or affects the lender’s ability to meet obligations under applicable FHA program requirements. The new policy applies to all FHA-insured mortgage programs.
Lenders experiencing such incidents must notify HUD via the FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov. The report must include the lender's name, identification number, contact information, and a detailed description of the incident. This description should cover the cause of the incident, its impact on personally identifiable information (PII), login credentials, IT system architecture, and any affected subsidiary or parent companies. Additionally, the report must outline the lender's response to the incident, including whether law enforcement has been notified.
The FHA emphasized the importance of this immediate reporting requirement, noting that representatives from HUD will contact the reporting institution to determine appropriate mitigation steps based on the nature of the incident.
This new requirement will be incorporated into a future revision of the Single Family Handbook 4000.1, but lenders are required to comply with the guidance immediately.
The mandate comes amid a rising tide of cybersecurity threats affecting various industries, including the mortgage sector. Ransomware attacks, where malicious actors encrypt a victim’s digital systems and demand payment for the decryption key, have become increasingly common. In 2023, the FBI reported that cybercrime losses soared to a record high of $12.8 billion.
Notable incidents include a significant cyberattack on mortgage lender loanDepot in January, which impacted its operating performance in the first quarter of 2024. Other affected entities include Mr. Cooper Group, First American, and Fidelity National Financial Inc., the parent company of LoanCare. These companies had to temporarily shut down systems to contain attacks and protect customer data.
As cybercrime continues to escalate, the FHA’s new reporting requirements aim to ensure rapid and effective responses to cybersecurity threats, thereby protecting both lenders and their customers from the potentially devastating impacts of such incidents.
In light of these new requirements, companies like CodeLock can provide invaluable assistance to FHA-approved lenders by streamlining the incident reporting process and enhancing cybersecurity measures. CodeLock's advanced solutions offer real-time monitoring, automated threat detection, and comprehensive compliance tracking, ensuring that any cybersecurity incidents are promptly identified and reported in accordance with FHA guidelines. By leveraging CodeLock’s expertise in cybersecurity, lenders can not only safeguard their information systems but also maintain compliance with regulatory mandates efficiently, minimizing potential disruptions and financial losses associated with cyber threats.