Effective immediately, Mortgagee Letter 2024-23 requires mortgagees to notify the Department of Housing and Urban Development as soon as possible — but no later than 36 hours — after determining that a reportable cyber incident has occurred.
HUD defines a reportable cyber incident as one that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee’s ability to meet its operational obligations for originating or servicing FHA-insured mortgages.
Mortgagees can report such incidents via the FHA Resource Center at answers@hud.gov as well as HUD’s Security Operations Center at cirt@hud.gov.