The Federal Housing Administration (FHA) and U.S. Department of Housing and Urban Development (HUD) have published new guidance revising its cyber incident reporting requirements for companies originating mortgage loans.
Essentially, the new guidance gives companies more time to report any potential breaches, although they are still urged to act in a timely manner once a breach has been identified. Effective immediately, FHA-approved mortgagees must notify HUD “as soon as possible,” but no later than 36 hours, after determining that a reportable cyber incident has occurred. The updated guidance supersedes the previous rule issued in May of this year, which said that FHA-approved mortgagees must report cyber incidents to HUD within 12 hours of detection.
The manner and required documentation for reporting cyber attacks remains the same: mortgagees must report to the FHA Resource Center and Security Operations Center on the HUD website, and reports must include incident dates, causes, impacts to login credentials, system architecture and consumer personal data. Reports must also continue to include a description of the mortgagee’s response to the incident, including whether law enforcement has been notified.