The Federal Housing Administration (FHA) updated its requirements for reporting cyber incidents, aiming to provide clarity and align with requirements from other agencies.
“These revised requirements follow an unprecedented influx of cyber incidents impacting FHA mortgagees, beginning in fiscal year 2023,” its mortgagee letter (ML) stated. “HUD [U.S. Department of Housing and Urban Development] is an operational partner of its FHA mortgagees and provides direct access to HUD systems and applications through transparency and trust relationships. It is vital that HUD receive early cyber incident notifications to defend its systems, including sensitive information within, and to enable swift and collaborative dialogue between HUD’s chief information security officer and the FHA mortgagee’s security operations official when a reportable cyber incident occurs. Consistent with the federal banking agencies, HUD encourages FHA mortgagees to continue the effective practice of providing same-day notification to HUD when a reportable cyber incident occurs.”
The ML stated FHA-approved mortgagees are required to notify HUD as soon as possible, and no later than 36 hours after the mortgagee has determined a reportable incident has occurred.