HUD Issues New Heightened Cybersecurity Incident Notice Requirements: 5 Things to Know

3 minute read | June.18.2024

The U.S. Department of Housing and Urban Development (HUD) has issued new heightened cybersecurity incident notice requirements that take effect immediately. FHA-approved mortgagees are now required to notify HUD of any suspected “significant cybersecurity incidents” within 12 hours of detection.

The new HUD requirement is in addition to and distinct from Ginnie Mae’s recently announced requirement that issuers of mortgage-backed securities report any suspected “significant cybersecurity incidents” to Ginnie Mae within 48 hours of detection.

Here are answers to five key questions about the new HUD requirement.

1. Who needs to comply?

The new reporting requirement applies to all FHA-approved mortgagees. Covered mortgagees include bank and non-bank lenders who have been approved by the Federal Housing Administration (FHA) to originate, underwrite, close, endorse, service, purchase, hold or sell FHA-insured mortgage loans.

2. What constitutes a “significant cybersecurity incident?”

The policy defines reportable cybersecurity incidents broadly to include any event that:

Actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity or availability of information or an information system or
Constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.

Notably, the reporting obligation is not limited to incidents involving sensitive or confidential information. A cybersecurity incident involving other circumstances or categories of information could also trigger a reporting expectation from HUD.

3. How does an FHA-approved mortgagee report a “significant cybersecurity incident?”

An FHA-approved mortgagee is required to email HUD’s FHA Resource Center at [email protected] and HUD’s Security Operations Center at [email protected] within 12 hours of detection. The email must include:

Mortgagee name & ID.
Contact information for the mortgagee’s point of contact for Security Operations follow-up.
Description of the incident including, if known, the date, cause and impact to personally identifiable information, login credentials andIT system architecture.
List of any impacted subsidiary or parent companies.
Description of the status of the mortgagee’s incident response, including whether it has notified law enforcement.

4. How will this requirement impact FHA-approved mortgagees and subcontractors?

If you are an FHA-approved mortgagee:

Because the 12-hour time window is so short, you will likely have to improve the efficiency of your cybersecurity incident response plan.

If you are a subcontractor or third party working with an FHA-approved mortgagee:

Because cybersecurity incidents affecting you could indirectly affect the mortgagee and trigger reporting requirements, expect the mortgagee to seek to include heightened breach notice obligations in vendor contracts to comply with reporting obligations.

5. What options are available to mitigate risk?

FHA-approved mortgagees should work with experienced counsel to develop or refine risk mitigation strategies. Some options to consider include:

Implement and maintain reasonable security practices to limit the risk of a security incident.
Update your incident response plan to meet the 12-hour notification window:
- Determine which employees will decide whether to report to HUD.
- Include quick escalation to employees responsible for reporting.
- Run tabletop exercises to test your incident response plans.
Update contracts with subcontractors to include robust security incident notification requirements.

Want to know more? Contact one of the authors (Shannon Yavorsky, David Curtis, Melissa Klimkiewicz, and Shivani Chelliah) or another member of the Orrick team.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Artificial Intelligence

San Francisco; Londra

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence
Technology Transactions
Compliance and Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory and Government Enforcement

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; Londra

Shannon is uniquely qualified in California, England and Wales and helps global companies navigate the increasingly complex global privacy, cybersecurity and AI regulatory landscape.

Shannon also advises public and private companies across sectors such as life sciences, health technology, financial services, private equity, insurance, social media and technology on a wide range of EU and U.S. federal and state privacy, security and AI laws. Her strategic counseling covers compliance with key regulations and frameworks including the EU AI Act, GDPR, EPD, NIST AI Risk Management Framework, HIPAA, GLBA, FCRA, ECPA, CAN-SPAM, TCPA, advertising and payment card processing standards as well as U.S. state privacy and breach notification laws in California, Colorado, Connecticut, Utah, Virginia and other jurisdictions.

Shannon helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Shannon advises clients across diverse industries on designing tailored AI use policies and compliance frameworks, including innovative tools such as Gen AI Policy Builder and Privacy in a Box. She supports global companies with AI governance, privacy, cybersecurity and quantum computing, from negotiating agreements for AI-enabled features, and navigating technology integrations and ensuring compliance with rapidly evolving regulations. Her work includes counseling on responsible AI innovation, algorithm development, quantum computing and enterprise privacy programs leading technology, healthcare and cybersecurity organizations. She also helps clients build robust incident preparedness and response strategies and provides ongoing guidance to strengthen privacy and AI governance across their operations.

Additionally, Shannon is recognized for her thought leadership in the AI space, regularly speaking game at industry events and training corporate legal departments on AI regulatory developments, emerging risks and opportunities.

David Curtis Of Counsel, Cyber, Privacy & Data Innovation, Technology Transactions

Boston; Seattle

See my bio

D:+1 617 880 2203
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Strategic Advisory and Government Enforcement

vCard

See full bio

David Curtis Of Counsel

Boston; Seattle

His practice focuses on negotiating data licenses and other commercial contracts, drafting privacy notices, and providing practical product counseling. With experience managing hundreds of strategic transactions each year, David helps clients streamline compliance efforts and navigate complex regulatory and business challenges.

David’s work spans a range of technology industries, including PropTech, HealthTech, and EdTech among others. He regularly advises clients on privacy policies, terms of service, and data processing agreements, with a particular focus on compliance with the California Consumer Privacy Act (CCPA) and other state privacy laws, state data broker laws, AI regulations, the Children’s Online Privacy Protection Act (COPPA), and cross-border data transfer requirements under the EU and UK General Data Protection Regulation (GDPR). David also counsels clients on AI-powered products, on digital advertising, Internet law, and consumer protection, helping clients anticipate and address evolving legal risks.

A founding member of Orrick’s Boston office, David recently returned to Massachusetts after many years in Seattle. He is a member of the Boston Bar Association’s Privacy, Cybersecurity & Digital Law steering committee. David has also served as an adjunct professor at Harvard Law School, where he taught legal research and writing.

Melissa Klimkiewicz Senior Counsel, Financial & Fintech Advisory, Strategic Advisory and Government Enforcement

Washington, D.C.

See my bio

D:+1 202 349 8098
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory and Government Enforcement
Fintech

vCard

See full bio

Melissa Klimkiewicz Senior Counsel

Washington, D.C.

She frequently assists Federal Housing Administration (FHA) mortgagees with their program approval efforts, annual recertifications, compliance with and understanding of program rules and self-reporting obligations, audits by the Quality Assurance Division (QAD), inquiries from the Office of Inspector General (OIG) and enforcement actions by the Mortgagee Review Board (MRB). Melissa performs similar work related to the Ginnie Mae, U.S. Department of Housing and Urban Development (HUD) Section 184, U.S. Department of Veterans Affairs (VA Department) and U.S. Department of Agriculture Rural Housing Service loan programs. Her work also includes assisting clients with False Claims Act (FCA)-based risk assessments arising from participation in government lending programs. She represents both mortgage and reverse mortgage/Home Equity Conversion Mortgage (HECM) lenders and servicers.

In addition, Melissa’s practice focuses on the mandatory purchase of flood insurance requirements under the Flood Disaster Protection Act, which includes regularly advising lenders and servicers on the ins and outs of the federal banking agencies’, FHA’s and the government sponsored enterprises’ (GSE) flood insurance-related regulations and guidance. She also assists clients with satisfying Consumer Financial Protection Bureau (CFPB) and other regulators’ expectations for providing assistance to consumers impacted by presidentially declared disasters.

Melissa frequently counsels clients in matters arising under the Real Estate Settlement Procedures Act (RESPA), Truth in Lending Act (TILA), Consumer Financial Protection Act (CFPA), Mortgage Acts and Practices Rule (MAP), the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE) and related state licensing laws, state regulation of real estate brokers and property managers, and a range of other federal and state consumer financial laws impacting lending and servicing.

Melissa has been recognized by The Legal 500 in the Financial Services: Litigation practice area. She is a former Co-Chair (2014-2017) and Co-Vice Chair (2011-2014) of the Housing Finance Subcommittee of the American Bar Association’s Consumer Financial Services Committee. She also is an active member of the Mortgage Bankers Association and National Reverse Mortgage Lenders Association.

Prior to joining Orrick, Melissa was senior counsel and a former partner at Buckley LLP. Previously, she was an associate at Howrey LLP and was a law clerk at Buckley Kolar LLP while attending law school.

Related Areas

Additional Author

Shivani Chelliah Summer Associate, Washington, D.C.

E[email protected]