The Federal Housing Administration today announced that FHA-approved lenders will have 36 hours to report a cybersecurity incident to the Department of Housing and Urban Development instead of 12 hours, as was originally proposed.
FHA in May issued a mortgagee letter announcing that lenders had 12 hours to report a significant cyber incident after determining one had occurred. A reportable incident is defined as one that actually or potentially jeopardizes the confidentiality, integrity or availability of information within a lender’s systems, or affects the ability of the lender to meet its obligations under applicable FHA program requirements.
The American Bankers Association joined with other associations in requesting that FHA rescind the letter, noting that the 12-hour deadline was much shorter than the cyber reporting requirements of other federal agencies. The associations also met with FHA and HUD officials to express their concerns and sent a follow-up letter in October expressing support for a 36-hour deadline, which would align the requirement with those of federal banking agencies.
In a mortgagee letter issued today, FHA pushed back the deadline for reporting cyber incidents to 36 hours, although it emphasized that lenders should report incidents as soon as possible. Lenders must provide information such as the date and cause of the incident and how it affects personally identifiable information in their systems.