In Mortgagee Letter 2024-10, FHA announced a requirement for FHA approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents. The Mortgagee Letter, which is dated May 23, 2024, provides that the requirement is effective immediately.

For purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”… Continue Reading

On September 25, the Consumer Financial Protection Bureau issued a report on its sources and uses of data. This report was followed by a Request for Information regarding its data collection practices, published in the Federal Register on September 28. In some respects, both documents are a follow-up to Acting Director Mick Mulvaney’s December 2017 order to CFPB staff to cease collecting personally identifying information, pending a review of and improvements to the Bureau’s overall data security systems.… Continue Reading

Since Mick Mulvaney’s appointment by President Trump as CFPB Acting Director, there have been widespread media reports about Mr. Mulvaney’s plans to impose a freeze on the CFPB’s collection of personally identifiable information (PII), such as individual loan level data, until the CFPB improves its data security systems.  Mr. Mulvaney’s concerns about the CFPB’s data security systems were reportedly prompted in part by reports issued by the Office of Inspector General for the CFPB that found deficiencies in the CFPB’s data security practices.… Continue Reading