The FHA announced in Mortgagee Notice 2024-10 that it will require FHA-certified lenders to notify the U.S. Department of Housing and Urban Development (HUD) of any significant cybersecurity incidents. The Mortgagee Notice, dated May 23, 2024, provides that this requirement is effective immediately.
For purposes of reporting requirements, a significant cybersecurity incident (cyber incident) is an “event that, without legal authority, actually or potentially compromises the confidentiality, integrity, or availability of information or an information system, or that constitutes a violation or imminent threat of a violation of a security policy, security procedure, or acceptable use policy, and that may directly or indirectly affect the ability of an FHA-approved mortgagee to fulfill its obligations under applicable FHA program requirements.”
FHA lending institutions that suspect a cyber incident should report it to HUD's FHA Resource Center (answers@hud.gov) and HUD's Security Operations Center (cirt@hud.gov) within 12 hours of detecting the cyber incident. Reports should include the following information:
- Lender Name
- Lender ID
- The name, email address, and phone number of the lender's contact for Security Operations Center follow-up activities.
- Description of the cyber incident, if known, including:
- Cyber incident occurrence date
- Causes of cyber incidents
- Impact on personal information
- Impact on login credentials
- Implications for Information Technology (IT) system architecture
- A list of affected subsidiaries or parent companies
- A description of the current status of the lender's cyber incident response, including whether law enforcement agencies have been notified;
The mortgage lender letter does not include a definition of “personally identifiable information.” The HUD Privacy Handbook states that “In accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122, Guides for Protecting the Confidentiality of Personally Identifiable Information (PII),” PII is information that can be used, either alone or in combination with other personal or identifying information that is linked or linkable to a particular individual, to identify or trace the identity of an individual. The HUD Privacy Handbook provides a non-exclusive list of information that, alone or in combination with other information, may constitute PII:
