FHA Revises Cyber Incident Reporting Requirements

The Federal Housing Administration on Monday updated its requirements for cyber incident reporting.

FHA released Mortgagee Letter 2024-23, which extends the reporting timeline from 12 hours to 36 hours. It also greatly narrows what incidents are required to be reported.

“FHA is revising its Cyber Incident reporting requirements to provide additional clarity and to better align FHA reporting requirements with computer-security incident notification standards established by the Federal banking agencies,” FHA Commissioner Julia Gordon said in the memo. “These revised requirements follow an unprecedented influx of Cyber Incidents impacting FHA Mortgagees beginning in Fiscal Year 2023.”

Importantly, these revised requirements respond to a number of issues raised by MBA in June following FHA’s initial mortgagee letter. As suggested by MBA, only incidents that have “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured Mortgages” are reportable.

For more information, please contact Mortgage Bankers Association Manager of Loan Production Policy Darnell Peterson, AMP, at 202-557-2922 or dpeterson@mba.org.