This week, the Federal Housing Administration (FHA) took a significant step by releasing Mortgagee Letter (ML) 2024-23, which introduces a new requirement for lenders: they now have to report any cybersecurity breaches within 36 hours of detection.
Although an initial draft of this letter was shared in September for feedback, the FHA has confirmed that it remains unchanged and is officially in effect.
New Reporting Requirements
The newly established 36-hour reporting window marks an improvement compared to the previous guideline outlined in ML 2024-10 from May.
That earlier guidance required lenders to report incidents much more quickly—within just 12 hours.
Under this updated ML, all FHA-approved mortgagees must notify the U.S. Department of Housing and Urban Development (HUD) about any cyber incidents as soon as possible, but no later than the 36-hour limit.
Notifications are to be sent through both the FHA Resource Center and HUD’s Security Operations Center.
Importance of Timely Notifications
This reporting requirement applies to all FHA-insured loan programs.
Since HUD serves as an operational partner for approved lenders and provides them access to crucial systems, the agency highlighted the importance of timely notifications.
Swift reporting of cyber incidents is vital for protecting HUD’s infrastructure and ensuring efficient communication between HUD’s Chief Information Security Officer and the security teams of FHA-approved mortgagees.
Industry Feedback and Cyber Threat Landscape
Interestingly, some industry stakeholders suggested that the reporting timeframe could be extended further than the current 36 hours.
The National Reverse Mortgage Lenders Association (NRMLA) expressed its thoughts in late October through the FHA’s Single Family Drafting Table, advocating for a 48-hour window for reporting suspected breaches—similar to policies from Ginnie Mae.
NRMLA also indicated that synchronizing the FHA’s timelines with proposals from the White House’s Office of the National Cyber Director could be advantageous.
Despite receiving this feedback, the FHA chose not to provide any reasoning for its decision not to extend the reporting timeline.
Moving forward, this new requirement will likely be included in updates to the Single Family Housing Handbook 4000.1.
In recent years, mortgage companies around the world have encountered an alarming increase in cyber threats.
Ransomware attacks have become particularly concerning, with attackers accessing digital systems, encrypting sensitive information, and demanding ransom for the decryption keys.
Several notable companies in the mortgage sector have fallen victim to cyber incidents, including American Neighborhood Mortgage Acceptance Co. LLC (known as AnnieMac), Mr. Cooper Group, First American, and Fidelity National Financial Inc., which owns LoanCare.
These breaches have forced organizations to temporarily shut down specific systems to safeguard customer data, highlighting the pressing need for enhanced cybersecurity protocols in the industry.
Source: Housingwire