Federal Housing Administration Releases Draft Updates to Its Cyber ​​Reporting Requirements | Cooley LLP

On September 30, 2024, the Federal Housing Administration (FHA) published A Draft mortgage note (ML) with updated cyber incident reporting requirements and a call for interested stakeholders to provide feedback on the draft ML by October 30, 2024.

In the draft ML, the FHA proposes the following:

• Update the current triggers for reporting cyber events to the Department of Housing and Urban Development (HUD) by linking the report to a newly defined term: “Reportable Cyber ​​Incident.”
• Extend the reporting period from 12 hours to 36 hours.

Current reporting requirements

As Please see our May 2024 customer alert for details, ML 2024-10 requires FHA-approved mortgagees to report certain cyber incidents to HUD within 12 hours of discovery. Current reporting requirements define a “significant cyber incident” in an exceptionally broad sense and include incidents that are either:

• Actually or potentially jeopardize the confidentiality, integrity or availability of any information or an information system.
• Constitutes a violation or threatened violation of any security policy, security procedure, or acceptable use policy and may directly or indirectly impact an FHA-approved mortgagee's ability to comply with its obligations under applicable FHA program requirements.

“Cyber ​​incident” and “notifiable cyber incident”

The draft ML would replace the “significant cyber incident” standard of ML 2024-10 with two newly defined terms that clarify and limit the scope of cyber incidents covered by the reporting requirements. The Draft ML defines a “cyber incident” as an event that results in an actual compromise of the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits. The draft ML further defines the term “reportable cyber incident” as a cyber incident that has materially disrupted or impaired, or has reasonably impaired, the ability of an FHA-approved mortgagee to meet its operational loan origination or servicing obligations Likely to materially affect or adversely affect FHA-insured mortgages.

Unlike the current reporting requirements of ML 2024-10, which apply to incidents where this is the case potential To impact a mortgagee's information system, the draft ML proposes requiring reporting of incidents leading to this actually Cause damage to information systems and data and also cause (or may cause) a material disruption or deterioration of the mortgagee's lending or servicing obligations for FHA-insured mortgages. These new definitions more clearly link reporting requirements to a mortgagee's ability to meet its FHA obligations and do not serve as a broader blanket reporting requirement.

Extended reporting period

The draft ML also proposes to extend the required time frame for notifying HUD of reportable incidents to 36 hours from the current 12 hours. However, the draft ML states that “FHA Mortgagees [should] Continue the effective practice of notifying HUD the same day when a reportable cyber incident occurs.”

Specifically, the proposed 36-hour requirement will be triggered when a mortgagee determines that a “reportable cyber incident” has occurred. In the context of the proposed definition of a reportable cyber incident, the draft ML appears to allow time to conduct an appropriate investigation to determine whether:

• The confidentiality, integrity or availability of information systems or data has actually been compromised.
• The incident has or is likely to materially impair or impair a mortgagee's ability to meet its origination or servicing obligations for FHA-insured mortgages.

Impact and invitation to comment

The updated definitions and schedules in the draft ML are not yet final, so mortgagees should continue to follow the reporting requirements of ML 2024-10, which continue to apply. HUD is accepting feedback on the draft ML until October 30, 2024, and interested parties can send their comments to [email protected].