The National Association of Reverse Mortgage Lenders (NRMLA) said this week it has submitted comments to the U.S. Department of Housing and Urban Development (HUD) requesting that the agency at least align its cybersecurity reporting requirements with those of Ginny Mae. However, ideally the extension should be even longer.
A draft mortgage letter (ML) was posted on September 30 and is still available visible on the drawing board for single-family homesan online portal for proposed but not yet implemented HUD policies. The ML provides updated requirements for when Federal Housing Administration (FHA) approved lenders must notify HUD within 36 hours of initial detection “when a reportable cyber incident occurs.”
The document “provides a clearer definition of what constitutes a cyber incident and requires FHA-approved mortgage holders to notify HUD as soon as possible – but no later than 36 hours – after determining that a reportable cyber incident has occurred,” said an announcement of the draft document published in September. “These updated reporting requirements harmonize FHA with existing standards established by federal banking agencies.”
But NRMLA said in a letter submitted through the Drafting Table that a better option would be to instead join similar policies that Ginnie Mae announced earlier this year. The government company has a Memorandum for all participants (APM) in March that instead gives issuers a 48-hour timeframe to notify the company of the relevant details regarding a suspected breach.
The trade association announced the move in an email update to its members. In consultation with HUD issues and NRMLA maintenance committees, the ideal scenario would be better alignment with a timetable proposed by the Office of the National Cyber Directora division within the White Housesaid NRMLA.
“[T]The goal of harmonizing cybersecurity standards across all federal agencies, as proposed by the Office of the National Cyber Director, is commendable and the proposed timeline for reporting incidents is more realistic and reasonable,” the NRMLA letter said. “For that reason, we strongly advocate that the Department revise its ML and adopt the 72-hour reporting deadline proposed by the Office of the National Cyber Director.”
HUD’s proposed guidelines would themselves be an extension. ML 2024-10issued in May, shortened the requirement to just 12 hours. But NRMLA argues that an extension to 72 hours would serve to “harmonize” the requirements of multiple federal agencies.
Global companies have become increasingly susceptible to the actions of bad actors seeking to compromise computer systems and either steal data or hold systems hostage for a fee via ‘ransomware’. Such attacks compromise the information security systems of companies around the world and can expose consumers’ personal and financial information.
In August the Federal Agency for Housing Financing (FHFA)’s Office of the Inspector General released a report saying the agency was highly vulnerable to hacking. The FBI reported earlier this year that cybercrime losses will reach a record high of $12.8 billion by 2023. loanDepot was hit hard by a cyber attack in January and the company said the event impacted its business performance in the first quarter of 2024.
Other entities recently hit by cyber attacks include Mr. Cooper Group, First American And Fidelity National Financialservicer’s parent Loan care. Each of these incidents resulted in companies temporarily disabling certain systems to thwart attacks that exposed customer data. The increasing frequency of cybercrime has many of these entities on edge.
