BLOG

Question: Has HUD implemented new cybersecurity reporting requirements?

Answer:

Yes. On May 23, 2024, HUD published Mortgagee Letter 2024-10 “Significant Cybersecurity Incident (Cyber Incident) Reporting Requirements” as part of its commitment to the security and integrity of all operations systems and technology.

Effective immediately, the Mortgagee Letter requires FHA-approved Mortgagees to notify HUD when a Cyber Incident occurs. A Significant Cybersecurity Incident (Cyber Incident) is an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.

An FHA-approved Mortgagee that experiences a suspected Cyber Incident must report the Cyber Incident to HUD’s FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov within 12 hours of detection. Reports must include the following information:

• Mortgagee name;
• Mortgagee ID;
• Name, email address, and phone number of Mortgagee’s point of contact for Security Operations Center follow-up activities;
• Description of the Cyber Incident, including the following, if known:
  • Date of Cyber Incident;
  • Cause of Cyber Incident;
  • Impact to Personally Identifiable Information;
  • Impact to login credentials; and
  • Impact to Information Technology (IT) system architecture;
• List of any impacted subsidiary or parent companies; and
• Description of the current status of the Mortgagee’s Cyber Incident response, including whether law enforcement has been notified.