Mortgagees Have 36 Hours to Report Cyber Incidents

Mortgagees Have 36 Hours to Report Cyber Incidents

Effective immediately, Mortgagee Letter 2024-23 requires mortgagees to notify the Department of Housing and Urban Development as soon as possible — but no later than 36 hours — after determining that a reportable cyber incident has occurred.

HUD defines a reportable cyber incident as one that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured mortgages.

Mortgagees can report such incidents via the FHA Resource Center at answers@hud.gov as well as HUD’s Security Operations Center at cirt@hud.gov.

Published by

Darryl Hicks

Darryl Hicks is Vice President of Communications for the National Reverse Mortgage Lenders Association. In this capacity, Hicks writes for NRMLA's publications, manages the association's web sites and social media accounts, assists committees and the Board of Directors, and manages the Certified Reverse Mortgage Professional designation. Prior to joining NRMLA in 1999, Hicks spent three years in the Washington, D.C. bureau for National Mortgage News.