The National Reverse Mortgage Lenders Association (NRMLA) announced this week that it has submitted comments to the U.S. Department of Housing and Urban Development (HUD) urging it to at least align the agency's cybersecurity reporting requirements with Ginnie Mae's reporting requirements. However, ideally we would like the extension period to be even longer.
The draft Mortgage Letter (ML) was posted on September 30 and can be viewed on the Single Family Drafting Table, an online portal for HUD policies that have been proposed but not yet implemented. ML sets forth updated requirements regarding when Federal Housing Administration (FHA) approved lenders must notify HUD “in the event of a reportable cyber incident” within 36 hours of initial detection. I am.
The document “provides a clearer definition of what constitutes a cyber incident and provides FHA-approved mortgage holders with a reportable cyber incident as soon as possible after determining that a reportable cyber incident has occurred,” the document said in a statement. “We require HUD to be notified as soon as possible, but within 36 hours.” Draft document released in September. “These updated reporting requirements align FHA with existing standards established by federal banking agencies.”
However, in a letter submitted through the drafting table, the NRMLA expressed that a better option would instead be to align with a similar policy announced by Ginnie Mae earlier this year. The government-owned company issued an All Participant Memorandum (APM) in March, in exchange giving the issuing company a 48-hour deadline to notify the company of relevant details related to the alleged infringement.
The industry group announced the move in an email update to its members. After consulting with NRMLA's HUD Issues and Services Committee, NRMLA said the ideal scenario would be more consistent with the schedule proposed by the Office of the National Cyber Director, a division within the White House.
“The Office of the National Cyber Director's proposed goal of harmonizing cybersecurity standards across all federal agencies is laudable, and the proposed incident reporting schedule is more realistic and “It is reasonable.” “As such, we urge the Department to revise the ML and adopt the 72-hour reporting timeframe proposed by the Office of the National Cyber Director.”
HUD's proposed guidance itself would be an expanded version. ML 2024-10, published in May, reduced the requirement to just 12 hours. But the NRMLA argues that the extension to 72 hours helps “harmonize” requirements among multiple federal agencies.
Global companies are increasingly sensitive to the actions of bad actors who attempt to compromise their computer systems, steal data, or hold them hostage for payment through “ransomware.” Such attacks can compromise the information security systems of businesses everywhere, potentially exposing consumers' personal and financial information.
In August, the Federal Housing Finance Agency's (FHFA) Office of Inspector General released a report finding the agency highly vulnerable to hacking. Earlier this year, the FBI reported that cybercrime losses in 2023 reached a record $12.8 billion. Mortgage lender Loan Depot was significantly impacted by a cyber attack in January, with the company announcing that the event impacted its first quarter 2024 results.
Other companies recently affected by cyberattacks include Mr. Cooper Group, First American, and Fidelity National Financial, the parent company of Servicer Loan Care. Each of these incidents caused companies to temporarily take down certain systems to thwart attacks that would compromise customer data. Many of these organizations are at risk as the frequency of cybercrime accelerates.
