FHA Announces New Cybersecurity Incident Reporting Requirements

The Federal Housing Administration (“FHA”) has issued new requirements, effective immediately, for reporting a potential or actual cybersecurity incident. In a circular published today, FHA announced that mortgagees must notify the Department of Housing and Urban Development (“HUD”) of any “Significant Cybersecurity Incident” within 12 hours of detection via the FHA Resource Center at answers@hud.gov and HUD’s Security Operations Center at cirt@hud.gov. The new requirement is part of HUD’s “commitment to the security and integrity of all its systems and technology supporting FHA operations.” Following notification of a cybersecurity incident, HUD representatives will contact mortgagee to determine the appropriate mitigation steps based on the nature of the incident. To read the Mortgagee Letter, please visit Mortgagee Letter 2024-10.