The National Reverse Mortgage Lenders Association (NRMLA) said this week that it has submitted comments to the U.S. Department of Housing and Urban Development (HUD) requesting that the agency, at minimum, align its cybersecurity reporting requirements with those of Ginnie Mae. Ideally, however, it wants the extension to be even longer.

A draft Mortgagee Letter (ML) was posted Sept. 30 and is viewable on the Single Family Drafting Table, an online portal for proposed but not yet implemented HUD policy. The ML provides updated requirements for when Federal Housing Administration (FHA)-approved lenders must notify HUD “when a reportable cyber incident occurs” within 36 hours of first detection.

The document “provides a clearer definition of what constitutes a cyber incident and requires FHA-approved mortgagees to notify HUD as soon as possible — but no later than 36 hours — after determining that a reportable cyber incident has occurred,” according to an announcement of the draft document published in September. “These updated reporting requirements harmonize FHA with existing standards established by the federal banking agencies.”

But NRMLA expressed in a letter submitted through the Drafting Table that it would be a better option to align instead with similar policies announced by Ginnie Mae earlier this year. The government-owned company issued an All-Participant Memorandum (APM) in March that instead gives issuers a timetable of 48 hours to notify the company of the relevant details related to a suspected breach.

The trade association announced the move in an email update to its membership. In consultation with NRMLA’s HUD issues and servicing committees, the ideal scenario would be greater alignment with a timetable proposed by the Office of the National Cyber Director, a division inside the White House, NRMLA said.

“[T]he goal of harmonizing cybersecurity standards across all federal agencies, as proposed by the Office of the National Cyber Director, is laudable and its proposed timeline for incident reporting is more realistic and reasonable,” NRMLA’s letter said. “For that reason, we strongly advocate that the Department revise its ML and adopt the 72-hour reporting timeframe proposed by the Office of the National Cyber Director.”

HUD’s proposed guidance would itself be an extension. ML 2024-10, issued in May, shortened the requirement to only 12 hours. But NRMLA contends that an extension to 72 hours would serve to “harmonize” requirements across multiple federal agencies.

Global businesses have become increasingly susceptible to the actions of bad actors seeking to compromise computer systems and either steal data or hold systems hostage for a payment via “ransomware.” Such attacks compromise the information security systems of companies everywhere, and they can expose consumers’ personal and financial information.

In August, the Federal Housing Finance Agency (FHFA)’s Office of the Inspector General issued a report stating that the agency was highly vulnerable to hacking. The FBI reported earlier this year that cybercrime losses rose to a record high of $12.8 billion in 2023. Mortgage lender loanDepot was heavily impacted by a cyberattack in January, and the company said the event impacted its operating performance in first-quarter 2024.

Other entities recently impacted by cyberattacks include Mr. Cooper Group, First American and Fidelity National Financial, the parent of servicer LoanCare. Each of these incidents caused the companies to temporarily shut down certain systems to contain attacks that exposed customer data. The accelerating frequency of cybercrime has many of these entities on edge.

NRMLA asks HUD to extend reporting timetable for cybersecurity incidents
Tagged on: