The U.S. Department of Housing and Urban Development (HUD) has issued new heightened cybersecurity incident notice requirements that take effect immediately. FHA-approved mortgagees are now required to notify HUD of any suspected “significant cybersecurity incidents” within 12 hours of detection.
The new HUD requirement is in addition to and distinct from Ginnie Mae’s recently announced requirement that issuers of mortgage-backed securities report any suspected “significant cybersecurity incidents” to Ginnie Mae within 48 hours of detection.
Here are answers to five key questions about the new HUD requirement.
1. Who needs to comply?
The new reporting requirement applies to all FHA-approved mortgagees. Covered mortgagees include bank and non-bank lenders who have been approved by the Federal Housing Administration (FHA) to originate, underwrite, close, endorse, service, purchase, hold or sell FHA-insured mortgage loans.
2. What constitutes a “significant cybersecurity incident?”
The policy defines reportable cybersecurity incidents broadly to include any event that:
- Actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity or availability of information or an information system or
- Constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.
Notably, the reporting obligation is not limited to incidents involving sensitive or confidential information. A cybersecurity incident involving other circumstances or categories of information could also trigger a reporting expectation from HUD.
3. How does an FHA-approved mortgagee report a “significant cybersecurity incident?”
An FHA-approved mortgagee is required to email HUD’s FHA Resource Center at [email protected] and HUD’s Security Operations Center at [email protected] within 12 hours of detection. The email must include:
- Mortgagee name & ID.
- Contact information for the mortgagee’s point of contact for Security Operations follow-up.
- Description of the incident including, if known, the date, cause and impact to personally identifiable information, login credentials andIT system architecture.
- List of any impacted subsidiary or parent companies.
- Description of the status of the mortgagee’s incident response, including whether it has notified law enforcement.
4. How will this requirement impact FHA-approved mortgagees and subcontractors?
If you are an FHA-approved mortgagee:
- Because the 12-hour time window is so short, you will likely have to improve the efficiency of your cybersecurity incident response plan.
If you are a subcontractor or third party working with an FHA-approved mortgagee:
- Because cybersecurity incidents affecting you could indirectly affect the mortgagee and trigger reporting requirements, expect the mortgagee to seek to include heightened breach notice obligations in vendor contracts to comply with reporting obligations.
5. What options are available to mitigate risk?
FHA-approved mortgagees should work with experienced counsel to develop or refine risk mitigation strategies. Some options to consider include:
- Implement and maintain reasonable security practices to limit the risk of a security incident.
- Update your incident response plan to meet the 12-hour notification window:
- Determine which employees will decide whether to report to HUD.
- Include quick escalation to employees responsible for reporting.
- Run tabletop exercises to test your incident response plans.
- Update contracts with subcontractors to include robust security incident notification requirements.
Want to know more? Contact one of the authors (Shannon Yavorsky, David Curtis, Melissa Klimkiewicz, and Shivani Chelliah) or another member of the Orrick team.