Mortgage

Navigating the New FHA Cybersecurity Reporting Requirements:  What Lenders Need To Know 

In an industry where new cybersecurity requirements are ever-evolving, the latest reporting requirement from the FHA marks a significant milestone in the mortgage regulatory landscape as the most aggressive requirement yet. The requirement went into effect on May 23^rd, 2024, and requires all FHA-Approved Mortgagees to report Cyber Incidents to the Department of Housing and Urban Development (HUD) within 12 hours of detection. This follows the Ginnie Mae 48-hour reporting requirement released in March, which had the quickest requirement at the time.  

The rapid reporting requirements aim to mitigate potential damage quickly and emphasize the same theme; organizations can no longer rely on reactive measures alone. Lenders must foster a culture of cybersecurity awareness and incorporate early detection as part of their comprehensive risk management systems.  

Lenders must have an effective and well-rehearsed cybersecurity program in place to make reporting on these timelines possible. Whether your team is fully outsourced, in-house, or a combination of both, it is essential to have a team of experts develop, test, refine, and manage your cybersecurity program. Just as you would train to run a marathon, you must train for a cyber incident by performing tabletop exercises mimicking various types of incidents you may experience. These exercises train your team in incident response protocols for various scenarios while helping to identify gaps and refine your processes for speed and efficiency. After refining and testing your processes with experts who are prepared for incident response, you will be well-equipped to identify and report incidents within the required timelines.  

Following this process will help protect your business from cybersecurity incidents, even if you aren’t an FHA-Approved Mortgagee. A general best practice is to adhere to the most stringent requirement so you comply with all the others as well. As more cybersecurity reporting requirements are released, it’s important for lenders to have a team of cybersecurity experts up to date on the latest compliance requirements impacting your business. The requirements lenders need to adhere to depend on your products and where you operate, and the plan to comply will need to be tailored to your culture and risk tolerance.  

The Richey May Cyber team members are experts in both the mortgage industry and cybersecurity and can help you determine the compliance requirements for your organization. For help developing, testing, refining, or managing your cybersecurity program, reach out to info@richeymay.com.  

To learn more about the 12-hour reporting requirements for FHA-Approved Mortgagees, read the Mortgagee Letter 2024-10.