FHA issues immediate cybersecurity reporting requirements
The
Federal
Housing
Administration
(FHA)
on
Thursday
published
Mortgagee
Letter
(ML)
2024-10,
outlining
reporting
requirements
that
lenders
must
follow
if
they
detect
a
cybersecurity
intrusion.
Effective
immediately
and
applicable
to
all
FHA-insured
mortgage
programs,
the
letter
states
that
all
lenders
“that
experience
a
potential
or
actual
cyber
incident
must
notify
HUD
via
the
FHA
Resource
Center
at
[email protected]
and
HUD’s
Security
Operations
Center
at
[email protected]
within
12
hours
of
detection
with
required
information
as
outlined
in
the
ML,”
according
to
an
announcement
of
the
guidance.
“Once
notified
of
an
incident,
representatives
from
HUD
will
contact
the
designated
representative
from
the
institution
reporting
the
incident
to
determine
the
appropriate
mitigation
steps
based
on
the
nature
of
the
incident,”
the
announcement
added.
A
“significant
cybersecurity
incident”
is
defined
as
“an
event
that
actually
or
potentially
jeopardizes,
without
lawful
authority,
the
confidentiality,
integrity,
or
availability
of
information
or
an
information
system;
or
constitutes
a
violation
or
imminent
threat
of
violation
of
security
policies,
security
procedures,
or
acceptable
use
policies
and
has
the
potential
to
directly
or
indirectly
impact
the
FHA-approved
mortgagee’s
ability
to
meet
its
obligations
under
applicable
FHA
program
requirements,”
the
ML
explained.
The
letter
also
specifies
the
details
that
must
be
included
in
the
incident
report
to
HUD,
such
as
the
lender’s
name,
identification
number,
specific
contact
information
and
various
details
about
the
nature
of
the
cybersecurity
incident.
The
guidance
will
be
incorporated
into
a
future
revision
of
the
Single
Family
Handbook
4000.1,
but
lenders
must
follow
the
guidance
immediately.
Mortgage
companies,
along
with
other
industries
worldwide,
have
had
to
reckon
with
an
accelerating
rate
of
cybersecurity
incidents
in
recent
years.
Ransomware
attacks
—
in
which
a
bad
actor
gains
access
to
a
target
individual’s
or
organization’s
digital
systems,
encrypts
them
and
sells
the
decryption
key
to
the
victim
for
a
price
—
are
often
the
tool
of
choice.
Last
month,
the
FBI
reported
that
cybercrime
losses
rose
to
a
record
high
of
$12.8
billion
in
2023.
Mortgage
lender
loanDepot
was
heavily
impacted
by
a
cyberattack
in
January,
which
the
company
recently
said
impacted
its
operating
performance
in
first-quarter
2024.
Other
entities
recently
impacted
by
cyberattacks
include
Mr.
Cooper
Group,
First
American
and
Fidelity
National
Financial
Inc.,
them
parent
of
servicer
LoanCare.
Each
of
these
incidents
caused
the
companies
to
temporarily
shut
down
certain
systems
to
contain
attacks
that
exposed
customer
data.
The
accelerating
frequency
of
cybercrime
has
many
of
these
entities
on
edge.
Related