News

Federal Housing Administration Publishes Draft Updates to Its Cyber Reporting Requirements

Cooley alert
October 2, 2024

On September 30, 2024, the Federal Housing Administration (FHA) published a draft Mortgagee Letter (ML) with updated cyber incident reporting requirements and a call for interested stakeholders to provide feedback to the draft ML through October 30, 2024.

In the draft ML, the FHA proposes to:

  • Update the current triggers for reporting cyber events to the Department of Housing and Urban Development (HUD) by tying reporting to a newly defined term, “Reportable Cyber Incident.”
  • Extend the reporting timeline from 12 hours to 36 hours.

Current reporting requirements

As detailed in our May 2024 client alert, ML 2024-10 requires FHA-approved Mortgagees to report certain cyber incidents to HUD within 12 hours of detection. The current reporting requirements define a “Significant Cyber Incident” in exceptionally broad terms, encompassing incidents that either:

  • Actually or potentially jeopardize the confidentiality, integrity, or availability of information or an information system.
  • Constitute a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and have the potential to directly or indirectly impact an FHA-approved Mortgagee’s ability to meet its obligations under applicable FHA program requirements. 

‘Cyber Incident’ and ‘Reportable Cyber Incident’

The draft ML would replace ML 2024-10’s “Significant Cyber Incident” standard with two newly defined terms that clarify and narrow the scope of cyber incidents that fall within the reporting requirements. The draft ML defines a “Cyber Incident” as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. The draft ML goes on to define the term “Reportable Cyber Incident” as a cyber incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, an FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured mortgages.

In contrast to ML 2024-10’s current reporting requirements that apply to incidents that have the potential to impact a Mortgagee’s information system, the draft ML proposes to require reporting of incidents that result in actual harm to information systems and data and also result (or are reasonably likely to result) in a material disruption or degradation of the Mortgagee’s origination or servicing obligations for FHA-insured mortgages. These new definitions tie the reporting requirements more clearly to a Mortgagee’s ability to meet its FHA obligations, rather than serving as a broader blanket notification requirement.

Extended reporting timeline

The draft ML also proposes extending the required time frame for notifying HUD of reportable incidents from the current 12 hours to 36 hours. However, the draft ML notes that “FHA Mortgagees [should] continue the effective practice of providing same-day notification to HUD when a Reportable Cyber Incident occurs.”

Notably, the proposed 36-hour requirement is triggered upon a Mortgagee determining that a “Reportable Cyber Incident” has occurred. When read in context of the proposed definition of “Reportable Cyber Incident,” the draft ML arguably permits time to conduct a reasonable investigation to determine whether:

  • There has been actual harm to the confidentiality, integrity, or availability of information systems or data.
  • The incident has or is likely to materially disrupt or degrade a Mortgagee’s ability to meet its origination or servicing obligations for FHA-insured mortgages.

Impact and invitation for comment

The updated definitions and timelines in the draft ML are not yet finalized, so Mortgagees should continue following ML 2024-10’s reporting requirements, which still apply. HUD is accepting feedback on the draft ML through October 30, 2024, and interested parties can submit their comments to sffeedback@hud.gov.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.