BLOG

Question: Did HUD recently update its reporting requirements for cybersecurity incidents? 

Answer: 

Yes, on December 2, 2024, HUD published Mortgagee Letter 2024-23, which revised cybersecurity notification requirements for FHA-Approved Mortgagees to require notification to HUD as soon as possible and no later than 36 hours after the mortgagee determined a Reportable Cyber Incident occurred.  Previous guidance required notification no later than 12 hours after determination that a cyber incident occurred.  

In the recent Mortgage Letter, HUD also provided the following definitions:

• Cyber Incident = an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. 
• Reportable Cyber Incident = a Cyber Incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured mortgages.

Notification of Reportable Cyber Incidents must be emailed to HUD’s FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov and include the following information: 

• Mortgagee Name; 
• Mortgagee ID; 
• Name, email address, and phone number of the Mortgagee’s point of contact for coordinating follow-up activities; 
• Description of the Cyber Incident, including the following, if known: 
  • date of Cyber Incident; 
  • cause of Cyber Incident; 
  • impact to Personally Identifiable Information; 
  • impact to login credentials; 
  • impact to Information Technology (IT) system architecture;
  • list of any impacted subsidiary or parent companies; and 
• Description of the current status of the Mortgagee’s Cyber Incident response, including whether law enforcement has been notified.

NOTE: This FAQ updates and supersedes MQMR’s prior FAQ on this topic published in May 2024: HUD Cybersecurity Reporting Requirements.