In Mortgagee Letter 2024-10, FHA announced a requirement for FHA approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents. The Mortgagee Letter, which is dated May 23, 2024, provides that the requirement is effective immediately.
For purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”
FHA lenders that experience a suspected Cyber Incident must report the Cyber Incident to HUD’s FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov within 12 hours of detection. Reports must include the following information:
- Lender name
- Lender ID
- Name, email address, and phone number of lender’s point of contact for Security Operations Center follow-up activities;
- Description of the Cyber Incident, including the following, if known:
- Date of Cyber Incident
- Cause of Cyber Incident
- Impact to Personally Identifiable Information
- Impact to login credentials
- Impact to Information Technology (IT) system architecture
- List of any impacted subsidiary or parent companies
- Description of the current status of the lender’s Cyber Incident response, including whether law enforcement has been notified
The Mortgagee Letter does not include a definition of “Personally Identifiable Information.” The HUD Privacy Handbook provides that pursuant to “the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” The HUD Privacy Handbook sets forth a non-exclusive list of information that may constitute PII on its own or in combination with other information.