On December 2, the FHA issued Mortgagee Letter 2024-23, outlining revised requirements for reporting cyber incidents by FHA-approved mortgagees. According to the letter, the revisions aim to align FHA reporting requirements with federal standards and address the increase in cyber incidents affecting FHA mortgagees. The letter required mortgagees to notify HUD within 36 hours of determining that a “Reportable Cyber Incident” has occurred. A reportable cyber incident is an event that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured Mortgages.” Reports must be sent to HUD’s FHA Resource Center and Security Operations Center and include specific details such as the mortgagee’s name, ID, contact information, a description of the incident, and the status of the response. These updates will be incorporated into the FHA Single Family Housing Policy Handbook. The letter superseded a previous letter (ML 2024-10) and goes into effect immediately, applying to all FHA insurance programs.
