FHA's cyber reporting requirements: What you need to know

The Federal Housing Administration has finalized its slightly more lenient cybersecurity incident reporting requirement, a move in response to an "unprecedented" influx of incidents.

FHA-approved counterparties must notify the Department of Housing and Urban Development as soon as possible, but no later than 36 hours, of determined incidents according to a Mortgagee Letter. The notice walks back a 12-hour window the Administration proposed in May.

"These revised requirements follow an unprecedented influx of cyber incidents impacting FHA mortgagees beginning in fiscal year 2023," the letter read. 

The FHA said its letter "harmonizes" its cyber incident reporting requirements with similar guidelines by federal banking agencies. Ginnie Mae this spring said its issuers must report incidents within 48 hours, while the Securities and Exchange Commission and Federal Trade Commission have issued more moderate reporting deadlines.

Affected companies must contact both the FHA's Resource Center at answers@hud.gov and HUD's Security Operations at cirt@hud.gov. 

The FHA defines a reportable cyber incident as one that "has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved mortgagee's ability to meet its operational obligations for originating or servicing FHA-insured mortgages."

In addition to identifying information, businesses are required to describe, to their best knowledge, the cause of the incident; impact to login credentials or IT system architecture; and any impact to personally identifiable information, among other details. 

The letter did not state whether there would be any penalty or response should a company fail to report a defined incident within the 36-hour window. The FHA didn't respond to a request for comment Wednesday morning. 

The letter cited the heightened level of incidents in fiscal year 2023, although many mortgage companies have suffered cyber security incidents since that time. Three lenders, including Anniemac, reported last month breaches in 2024 which collectively impacted almost 200,000 consumers.

Financial firms on average spent over $6 million to respond to incidents in the past year, and some larger mortgage players have spent well beyond that. Consumers are also often quick to hit affected firms with lawsuits for negligence in failing to protect their data. 

Increasing cybersecurity regulation could also weigh on mortgage companies' budgets. Michael Nouguier, chief information security officer and director of cybersecurity services at Richey May, said he anticipates mortgage players to up their cybersecurity spending 10% to 15% in the next year. 

"There has to be an increase, because regulations are dictating that (companies) have to have these things or they're going to be financially impacted if a breach occurs," he said.