The Federal Housing Administration today issued a new policy requiring FHA-approved lenders to report a “significant cybersecurity incident” to the Department of Housing and Urban Development within 12 hours of detecting the incident. The policy change was announced in a mortgagee letter. The agency defines a significant cybersecurity incident as one that actually or potentially jeopardizes the confidentiality, integrity or availability of information within a lender’s systems, or affects the ability of the lender to meet its obligations under applicable FHA program requirements.
According to the letter, cyber incidents must be reported to both HUD’s FHA Resource Center and HUD’s Security Operations Center. Reports must include information such as a description of the incident and its effect on potentially identifiable information. Lenders must also report any effects on their information technology infrastructure and their response to the incident, including whether law enforcement has been notified.
