In a letter today, the American Bankers Association, the Bank Policy Institute and the Housing Policy Council requested that the Federal Housing Administration suspend a new policy requiring FHA-approved lenders to report a “significant cybersecurity incident” to the Department of Housing and Urban Development within 12 hours of detecting the incident. Suspending the policy would give FHA time to consider other existing cyber incident reporting requirements, they said. It would also allow time to develop an approach that satisfies the agency’s goals “without introducing unique new standards that will create adverse operational impacts for firms and customers during the critical stages of incident response.”
FHA announced the cyber incident reporting policy in a May mortgagee letter. The associations said that the policy has an impractical “significant cybersecurity incident” definition combined with an insufficient reporting timeframe. “Taken together, those thresholds for reporting extend beyond any existing federal or state reporting requirement,” they said.
The associations further noted that the policy is inconsistent with several ongoing government cyber regulatory harmonization efforts, such as work by the Cyber Incident Reporting Council to coordinate federal incident reporting requirements. “According to a recent survey of large financial institutions, firm cyber teams now spend as much as 70% of their time on regulatory compliance matters,” the associations said. “Therefore, an uncoordinated approach to regulatory reporting requirements is not without consequence and leaves cyber professionals with less time for the core security activities that are essential to effectively managing the organization’s cyber risk.”
