FHA Releases New Draft ML on Cyber Incident Reporting; Letter Includes Adjustments Closer to MBA Suggestions

(Image courtesy of cottonbro studio/pexels.com)

The Federal Housing Administration posted a new draft Mortgagee Letter: Revised Cyber Incident Reporting Requirements on its Single-Family Housing Drafting Table. It provides updated requirements for when FHA-approved mortgagees must notify the Department of Housing and Urban Development when a reportable cyber incident occurs.

The draft ML outlines a clearer definition of what constitutes a cyber incident. It also requires FHA-approved mortgagees to notify HUD as soon as possible–and no later than 36 hours–after determining that a reportable incident has occurred.

The Mortgage Bankers Association provided feedback in June to the previous draft, flagging the previous document’s requirement that cyber incidents be reported within 12 hours. MBA urged the FHA to align its reporting timeline with Ginnie Mae’s 48-hour requirement.

Interested stakeholders are encouraged to review the draft and provide feedback by Oct. 30–instructions are available on the FHA Drafting Table.

When finalized and published, it will supersede previous guidance in ML 2014-10, dated May 23, 2024.