In a pivotal move this week, the National Reverse Mortgage Lenders Association (NRMLA) has thrown its hat into the ring, urging the U.S. Department of Housing and Urban Development (HUD) to rethink its cybersecurity reporting requirements. The association not only seeks alignment with Ginnie Mae’s existing standards but aspires for an even more generous timeframe.
On September 30, HUD unveiled a draft Mortgagee Letter (ML), which can be explored on the Single Family Drafting Table—a digital repository for pending HUD policy revisions. This draft stipulates that Federal Housing Administration (FHA)-approved lenders must alert HUD within a 36-hour window upon uncovering a reportable cyber incident.
The ML artfully clarifies the definition of a ‘cyber incident’ while mandating that FHA-approved mortgagees must inform HUD “as soon as possible”—but no later than that critical 36-hour mark—once a reportable cyber event has been identified. This goal, it claims, is to synchronize FHA’s protocols with the stringent standards set forth by federal banking regulators.
Yet NRMLA, in a pointed missive delivered through the Drafting Table, voices its advocacy for a more favorable alignment with Ginnie Mae’s policies established earlier this year. In March, Ginnie Mae disseminated an All-Participant Memorandum (APM) granting issuers a full 48 hours to relay pertinent details following a suspected breach.
In an update dispersed via email to its members, NRMLA, following consultations with its HUD issues and servicing committees, posited that an even more ideal scenario would involve synchronization with the timeline suggested by the Office of the National Cyber Director—an arm of the White House.
The association’s letter underscores a significant aspiration: “[T]he goal of harmonizing cybersecurity standards across all federal agencies, as envisaged by the Office of the National Cyber Director, is commendable, and its proposed incident reporting timeline of 72 hours is far more practical,” they asserted. Thus, NRMLA strongly advocates for HUD’s revision of its ML to incorporate the desired 72-hour reporting standard.
It’s worth noting that HUD’s proposed guidance already extends the previous deadlines; the May-issued ML 2024-10 previously mandated a stringent 12-hour notification requirement. In stark contrast, NRMLA’s proposed alignment seeks not merely an extension but a pathway toward a holistic integration of cybersecurity protocols across federal agencies.
The specter of cyberattacks looms large over global enterprises, with malicious actors increasingly honing in on systems to pilfer sensitive data or launch ransomware schemes—creating a digital landscape riddled with peril. These incursions into information security can put consumer data in jeopardy, stirring considerable unrest across various sectors.
In a heightened atmosphere of concern, the Federal Housing Finance Agency (FHFA)’s Office of the Inspector General recently sounded alarms about the agency’s heightened susceptibility to cyber threats. Alarmingly, the FBI reported earlier this year that cybercrime losses surged to an unprecedented $12.8 billion in 2023. Mortgage lender loanDepot found itself reeling from a massive cyber assault in January, which reportedly hampered its operational performance going into the first quarter of 2024.
Other prominent entities, too, have felt the sting of cyber incursions, including Mr. Cooper Group, First American, and Fidelity National Financial—each undergoing systemic shutdowns to curtail attacks that exposed critical customer data. The crescendo of cybercrime frequency has left many in the industry feeling ever more precarious and on alert.
