close
close

HUD Issues New, Enhanced Cybersecurity Incident Reporting Requirements: 5 Things You Should Know | Orrick, Herrington & Sutcliffe LLP

(Co-author: Shivani Chelliah)

The U.S. Department of Housing and Urban Development (HUD) has issued new, enhanced cybersecurity incident reporting requirements that take effect immediately. FHA-approved mortgage lenders must now notify HUD of any suspected “significant cybersecurity incident” within 12 hours of discovery.

The new HUD requirement complements and differs from Ginnie Mae’s recently announced requirement that issuers of mortgage-backed securities report all suspected “significant cybersecurity incidents” to Ginnie Mae within 48 hours of discovery.

Here are answers to five important questions about the new HUD requirement.

1. Who is bound by the regulations?

The new reporting requirement applies to all FHA-approved mortgage lenders. Covered mortgagees include banks and non-bank lenders that have received approval from the Federal Housing Administration (FHA) to originate, guarantee, close, sponsor, service, purchase, hold, or sell FHA-insured mortgage loans.

2. What constitutes a “significant cybersecurity incident”?

The directive defines reportable cybersecurity incidents in the broadest sense and includes all events that:

  • Actually or potentially jeopardizing the confidentiality, integrity or availability of information or an information system without being legally authorized to do so. or
  • Represents a violation or imminent threat of a violation of any security policy, security procedure, or acceptable use policy and has the potential to directly or indirectly affect the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.

In particular, the reporting requirement is not limited to incidents involving sensitive or confidential information. A cybersecurity incident, where other circumstances or categories of information may trigger a reporting requirement on the part of HUD, also applies.

3. How does an FHA-approved mortgagee report a “significant Incident?”

An FHA-approved mortgagee must send an email to HUD’s FHA Resource Center at (email protected) and HUD’s Security Operations Center in (email protected) within 12 hours of discovery. The email must contain the following:

  • Name and ID of the mortgagee.
  • Contact information for the mortgagee’s point of contact for tracking security operations.
  • Description of the incident, including date, cause and impact on personal data, credentials and IT system architecture (if known).
  • List of all affected subsidiaries or parent companies.
  • Description of the status of the mortgagee’s response to the incident, including whether it has notified law enforcement authorities.

4. How does this requirement affect FHA-approved mortgage lenders and subcontractors?

If you are an FHA-approved mortgagee:

  • Because the 12-hour window is so short, you likely need to improve the efficiency of your cybersecurity incident response plan.

If you are a subcontractor or third party working with an FHA-approved mortgagee:

  • Since cybersecurity incidents affecting you may also indirectly affect the mortgagee and trigger reporting obligations, it can be assumed that the mortgagee will seek to include enhanced breach reporting obligations in the supplier contracts in order to comply with its reporting obligations.

5. What options are there to reduce the risk?

FHA-approved mortgage lenders should work with experienced advisors to develop or refine risk mitigation strategies. Some options to consider include:

  • Implement and maintain appropriate security practices to limit the risk of a security incident.
  • Update your incident response plan to meet the 12-hour notification window:
    • Determine which employees decide whether to report to HUD.
    • Include rapid escalation to the staff responsible for the report.
    • Conduct simulation games to test your emergency response plans.
  • Update subcontractor contracts to include strict requirements for reporting safety incidents.