A mortgagee letter (ML) on reporting requirements related to cyber security incidents was posted for participant feedback on the Federal Housing Administration’s (FHA) Single-Family Housing Drafting Table.
The ML details revisions to the reporting requirements for when FHA-approved mortgagees must notify the Department of Housing and Urban Development (HUD) when a reputable cyber incident occurs.
This ML draft provides a clearer definition of what constitutes a cyber incident and requires regulated mortgagees to notify HUD as soon as possible (but no later than 36 hours) after determining that a reportable cyber incident has occurred, FHA stated in a release. It added the updates in the draft harmonize FHA with existing standards established by the federal banking agencies.
Those wishing to review and provide feedback have until Oct. 30 to do so. Once published, the updated guidance will supersede ML 2024-10, dated May 23, 2024.
“As a reminder, this draft ML is not official departmental policy and cannot be used in connection with any FHA-insured mortgage until finalized,” FHA stated. “FHA’s existing policies remain in effect until amended.”
Cover Story: