The Federal Housing Administration (FHA) recently published new Cybersecurity Incident Reporting Requirements, significantly enhancing reporting regime for incidents of cyber breaches. According to its Mortgagee Letter (ML) 2024-10, published May 23, FHA-approved mortgagees are to notify the Department of Housing and Urban Development’s (HUD) within 12 hours of detecting a cyber incident.
The new section detailing a Significant Cybersecurity Incident (V.A.2.b.viii), states FHA-approved mortgagees that experience a potential or actual cyber incident must notify HUD via the FHA Resource Center and HUD’s Security Operations Center within 12 hours of detection with required information as outlined in the ML. Once notified of an incident, representatives from HUD will contact the designated representative from the institution reporting the incident to determine the appropriate mitigation steps.
The requirements, which are effective immediately, are part of HUD’s commitment to the security and integrity of all its systems and technology supporting FHA operations.
Mortgage servicers have increasingly been targeted for cyberattacks, causing borrowers' personal information to be compromised. In late 2023 and early 2024, four major mortgage servicers, Mr. Cooper Group, Fidelity National Financial, First American Financial and loanDepot, were targeted in cyberattacks. Other than having consumer and corporate data compromised, the attacks delayed closing times on new loans and prevented customers from making payments.
The breaches have also led to a number of class action lawsuits against lenders that are being scrutinized for how those data breaches were handled. loanDepot Inc. is facing a class action lawsuit alleging its “willful failure” to prevent a data breach. Mr. Cooper Group also faces a class action lawsuit after suffering a major data breach, and is accused of failing to implement safeguards and not being timely and transparent in communicating with customers.
