FHA tightens data breach reporting requirements for lenders

The Federal Housing Administration is tightening its data breach reporting requirements for mortgage lenders.

Effective immediately, lenders must report any cybersecurity attacks within 12 hours of detection to the Department of Housing and Urban Development, FHA wrote May 23 in a mortgagee letter.

Cybersecurity incidents include those that actually or potentially jeopardize "the confidentiality, integrity, or availability of information," the FHA wrote. Making all events – big or small – fall into that purview. 

Lenders must report the date and cause of a cyber incident and its impact on personally identifiable information.

Once notified of an incident, HUD will contact the impacted institution "to determine the appropriate mitigation steps based on the nature of the incident."

These requirements are part of the Department of Housing and Urban Development's commitment to security and integrity of its systems and technology supporting FHA operations, the housing agency said.

"HUD issued this mortgagee letter to reinforce with program participants the importance of quickly reporting to HUD, addressing, and tracking cyber-security incidents in light of the nationwide increase in incidents in recent years," a HUD spokesperson wrote in an email Thursday.

The announcement comes during a time of increased data breach activity.

In recent months, numerous megalenders have had their systems hit. In some cases, the attacks have been carried out by way of third-party vendors.

Loandepot, Mr. Cooper, Academy Mortgage and Planet Home Lending are among mortgage shops impacted by such incidents. Title companies have also been hit, including First American and Fidelity National Financial

All in all, millions of customers have had their personal identifiable information stolen and some litigation has sprouted because of it. 

Most recently, Planet Home Lending moved to settle a consolidated class action pegged against it for allegedly failing to protect the PII of customers during a hack in late 2023.

On May 13, a Connecticut federal judge issued a preliminary order approving a $2.42 million settlement between the plaintiffs and PHL. Over 200,000 Planet Home Lending customers had their data and PII leaked to the web.

Fannie Mae and Freddie Mac also have breach reporting requirements, though they are far less stringent for now. Fannie requires lenders to report within 72 hours if a potential hack has taken place, while Freddie requires lenders to report within 48 hours of detection.

For reprint and licensing requests for this article, click here.
Cyber security FHA Data breaches Regulation and compliance
MORE FROM NATIONAL MORTGAGE NEWS