The U.S. Department of Housing and Urban Development today released a draft mortgagee letter that proposes extending from 12 to 36 hours the deadline for lenders to report cybersecurity incidents to HUD.
The Federal Housing Administration in May announced a new policy requiring FHA-approved lenders to report a “significant cybersecurity incident” to HUD within 12 hours of detecting the incident. HUD’s draft letter would extend the deadline to 36 hours, although it still urges lenders to report incidents as soon as possible. It also would narrow the definition of a significant cyber incident and clarify the incident must result in actual harm. Public feedback on the draft letter is due by Oct. 30.
In June, the American Bankers Association, Bank Policy Institute and Housing Policy Council urged the FHA to suspend the policy, saying it was impractical to implement and that a suspension would give the agency time to consider other cyber incident reporting requirements.
