On May 23, the U.S. Department of Housing and Urban Development (HUD) announced an enhanced cybersecurity incident reporting regime for Federal Housing Administration (FHA)-certified mortgage borrowers. The new requirements, which are an update to Single-Family Housing Policy Handbook 4000.1, require FHA-certified mortgage borrowers to report a “suspected significant cybersecurity incident” within 12 hours of detection.
The new requirements require FHA-approved mortgage holders to report to HUD any “suspected” significant cyber incidents that occur. HUD defines a cyber incident as an event that (1) “actually or potentially jeopardizes the confidentiality, integrity, or availability of information or information systems without legal authority,” or (2) “constitutes a violation or imminent threat of a violation of security policies, security procedures, or acceptable use policies and may directly or indirectly affect the ability of an FHA-approved mortgage holder to fulfill its obligations under applicable FHA program requirements.”
Mortgage holders must report these significant cyber incidents to HUD. 12 hours detectionThe reporting requirement is very objective and requires specific details about the cybersecurity incident, such as the date, cause, impact, cause, and effect of the cybersecurity incident, etc. It is fair to say that many of these details may be difficult to know 12 hours after detection.
Put it into practice: Beyond the very short reporting period, HUD issued a very broad definition of a reportable significant cyber incident. The second element of HUD's definition is unusually broad in that it encompasses an “imminent threat” of a security policy violation and may “directly or indirectly” affect FHA-approved mortgage recipients. This allows it to encompass not only common types of cyber attacks like theft, ransomware, and DDoS attacks, but also cyber attacks on third-party service providers where a cybersecurity breach may “indirectly” affect mortgage recipients.
Complying with HUD’s notice requirements will be extremely difficult for most lenders to accomplish, and lenders should have procedures in place to ensure that nearly all potential cybersecurity incidents are properly assessed and reported, as well as to escalate them immediately.