Federal Housing Administration introduces new cyber reporting requirements | Cooley LLP

On May 23, 2024, the Federal Housing Administration (FHA) issued Mortgagee Letter 2024-10 (Letter), which requires FHA-approved mortgage lenders to report certain cyber incidents to the Department of Housing and Urban Development (HUD) within 12 hours of discovery.

Reporting obligation

Mortgage lenders who experience a “suspected” cyber incident must report the incident to the FHA Resource Center and HUD’s Security Operations Center within 12 hours of its discovery. The new requirement is effective immediately.

Broad range of tasks

The letter defines a “significant cyber incident” (cyber incident) in incredibly broad terms. A cyber incident is an event that either:

• Actually or possibly without legal authority, endangers the confidentiality, integrity or availability of information or an information system.
• Represents a violation or imminent threat of a violation of security policies, security procedures, or acceptable use policies And has the potential to directly or indirectly affect the ability of the FHA-approved mortgagee to meet its obligations under applicable FHA program requirements.

This definition arguably captures a broad range of cyber activity and requires reporting of activities that ultimately do not constitute a cyber event under other reporting systems. Mortgage creditors must report “suspected” events that “potentially” compromise the confidentiality of information or an information system – terms that are not defined – and “suspected” events that pose “imminent” – not necessarily actual – threats of a breach of a mortgage creditor’s policies. Similarly, mortgage creditors must report policy violations that “potentially” affect the mortgage creditor’s ability to meet its FHA obligations.

Effects

In the letter, mortgagees must identify the date of the cyber incident, the cause, and the impact on personal data, credentials, and information technology systems. The mortgagee must also describe the status of its investigation and indicate whether it has notified law enforcement.

Realistically, it is possible that many mortgage holders will be unaware of the actual or potential impact of a cyber incident within the first 12 hours of discovery, and that the mortgage holder’s assessment of the actual or potential impact is likely to change and evolve as the forensic investigation progresses.

Mortgage creditors may not have even initiated a formal incident response process within the first 12 hours of discovery. As a practical matter, therefore, it is unlikely that an affected mortgage creditor will have the information necessary to fully comply with the FHA’s reporting standard within the required timeframe.

The broad definition of a cyber incident can result in a flood of potentially insignificant reports of cyber activity, making it difficult for the FHA to quickly identify and resolve the most serious cyber incidents. In addition, the letter requires mortgage lenders to email these reports to HUD’s Security Operations Center and the FHA Resource Center, with the latter to be notified via the Resource Center’s general inbox, which can result in longer response times for general inquiries about the FHA’s programs.