This article originally appeared in the April 2025 edition of MortgagePoint magazine, online now.
Cybersecurity remains a top priority in industry discussions and in the news. Over the past five years, nearly every business conference we have attended has featured at least one session dedicated to this critical topic. It remains highly relevant and shows no signs of diminishing in importance. Cybersecurity was prominently featured on the agendas at both the National Reverse Mortgage Lenders Association (NRMLA) Annual and the American Credit Union Mortgage Association (ACUMA) Conferences, underscoring its continued significance across the industry.
Now, with changes to notification requirements published by HUD in Mortgagee Letter 2024-10, the topic of cybersecurity incidents has become more critical than ever. New regulatory mandates, coupled with recent high-profile cyber incidents, have placed the industry on heightened alert, reinforcing the need for proactive measures and robust security protocols.
What’s Changing Now
In Mortgage Letter 2024-10, HUD made significant changes to the reporting requirements for FHA lenders regarding “significant cybersecurity incidents,” particularly tightening the timeline for such notifications. While HUD welcomed feedback to inform future updates, these took effect immediately. While only three pages long, the letter had a substantial impact on the industry, prompting lenders to reevaluate their cybersecurity protocols and response strategies.
In a letter, Julia R. Gordon, former Assistant Secretary for Housing wrote:
“An FHA-approved Mortgagee that has experienced a suspected Cyber Incident must report the Cyber Incident to HUD’s FHA Resource Center … and HUD’s Security Operations Center … within 12 hours of detection.”
While this timeline underscores HUD’s urgency in addressing cybersecurity, it often takes time for organizations to fully understand the nature and severity of a cybersecurity incident, making compliance with the requirement particularly challenging.
The problem for many lenders lies in the conflicting requirements set by other agencies. While HUD has implemented stricter timelines for reporting significant cybersecurity incidents, other agencies, such as the Office of the National Cyber Director and Ginnie Mae, allow for greater flexibility in the reporting process.
Notably, at the recent conversations at the NRMLA HUD Issues Committee meeting, cybersecurity took center stage, highlighting the industry’s growing concern and the urgent need for clarity and alignment on these critical requirements.
The concerns are understandable. Recent high-profile cyber incidents have exposed vulnerabilities across the mortgage lending sector, raising alarms about potential data breaches and operational disruptions. As detailed by Matt Kapko in the February 6, 2024, edition of “CyberSecurityDive,” some of the largest companies in the industry have fallen victim to cyberattacks, resulting in “delayed closing times on new loans and prevented customers from making payments.” Within the last year, we have seen some of the largest companies in our industry falling prey to cybercriminals.
Understanding the New Requirements
The introduction of HUD’s new cybersecurity incident reporting standards has raised widespread discussion about operational readiness among lenders, particularly among smaller lenders that lack the resources of larger financial institutions.
Many lenders we have spoken to are working to adapt to the changes, acknowledging a steep learning curve. In its June 26, 2024, response to Mortgage Letter 2024-10, the Mortgage Bankers Association (MBA) detailed that the changes pose significant challenges, especially for organizations with smaller IT staff.
Pete Mills, MBA’s SVP Residential Policy and Strategic Industry Engagement, detailed that: “In the initial 12 hours of a cybersecurity incident, lenders are typically just beginning to assess system impacts, may still be actively defending against the intrusion, and might have an impaired ability to communicate with external parties due to compromised systems … In addition, details about an incident can change quickly during those initial hours.”
The difficulties extend beyond compliance with the tighter reporting window; lenders are also grappling with the ambiguity of what constitutes a “Significant Cybersecurity Incident.”
Defining a Significant Cybersecurity Incident
In its letter, HUD defined a significant incident as follows:
“A Significant Cybersecurity Incident (Cyber Incident) is an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”
The MBA expressed concerns about the broadness of this definition, particularly the inclusion of the word “potentially.” They noted that under this definition, even minor mishaps, such as a bank employee mistakenly emailing a client’s checking account statement to the wrong recipient—could be considered reportable, “even if neither client has a mortgage loan with the bank, let alone an FHA loan.”
To address these concerns, the MBA proposed a more precise definition:
“A Significant Cybersecurity Incident (Cyber Incident) is an event that directly or indirectly impacts the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements, and jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system.”
Industry Support for Clarity
At its recent reverse mortgage lender meetings, NRMLA backed the MBA’s call for a more uniform reporting framework. Industry participants emphasized that a narrower definition is essential to ensure clarity, consistency, and fairness, while allowing lenders to focus on actual risks, and to ensure that industry players can operate on a level playing field.
Lenders broadly agreed that balancing compliance with operational realities is critical, especially as the industry attempts to balance compliance with practical operational capabilities.
What Comes Next for Lenders?
As the industry adapts to HUD’s new cybersecurity requirements, uncertainty lingers. Many lenders have expressed concerns about whether the new regulations could inadvertently expose them to greater risk by overwhelming their reporting systems and stretching their IT resources thin.
Lenders are grappling with the challenge of maintaining compliance while safeguarding their operations against ever-evolving cybersecurity threats.
Cybersecurity has always been a moving target for the mortgage industry, and new regulations like HUD’s Mortgage Letter 24-10 add another layer of complexity. In our conversations with industry professionals this fall, the sentiment was overwhelmingly positive.
Lenders expressed confidence in their ability to navigate the changes, while remaining hopeful that additional clarity and uniformity between regulators could simplify the process.
For our part, we will continue to closely monitor how the sector adapts to the tighter timelines. We stand ready to support lenders as they adjust to these new demands.
