On May 23, 2024, HUD issued a letter to announce that FHA-approved mortgagees are required to notify HUD when a “Cyber Incident” occurs. Specifically, FHA-approved mortgagees are to report cyber incidents to HUD within 12 hours of detection.
A Cyber Incident would be any unauthorized event that could harm information or computer systems, breaching security rules, and affecting a mortgagee’s ability to meet FHA program requirements. These include actions that threaten data confidentiality, integrity, or availability, potentially disrupting mortgage operations. Mortgagees shall report all suspected Cyber Incidents to HUD's FHA Resource Center and Security Operations Center within 12 hours of detection.
The new requirement is effective immediately and applies to all FHA insurance programs.
The Mortgagee Letter can be found here.