BPI, ABA and HPC Request Federal Housing Administration Reconsider Cyber Incident Reporting Requirements

Dear Ms. Gordon,

The American Bankers Association,[1] Bank Policy Institute[2] and the Housing Policy Council[3] (collectively, the Associations) write to provide feedback on the Federal Housing Administration’s (FHA) Mortgagee Letter 2024-10 establishing cyber incident reporting requirements for FHA-approved mortgagees. The Mortgagee Letter, effective immediately, contains wide-ranging and rapid requirements for cyber incident reporting that are simply not achievable and will present considerable compliance challenges for FHA-approved mortgagees.

Therefore, the Associations request that FHA withdraw the current Mortgagee Letter and reconsider the terms set forth. An immediate suspension would allow the agency additional time to consider other existing cyber regulatory reporting requirements and to develop an approach that satisfies FHA’s goals without introducing unique new standards that will create adverse operational impacts for firms and customers during the critical stages of incident response.

As currently drafted, the Mortgagee Letter has an impractical “significant cybersecurity incident” definition, combined with an insufficient reporting timeframe. The definition covers events that “potentially jeopardize” information or information systems or pose an “imminent threat of violation” to security policies, both ambiguous standards to meet.[4] On top of that, FHA-approved mortgagees must report incidents “within 12 hours of detection”[5] which is extraordinarily challenging in part due to dependence on reporting from third party service providers. Taken together, those thresholds for reporting extend beyond any existing Federal or state reporting requirement.

The breadth and speed of the Mortgagee Letter’s current requirements are also inconsistent with several ongoing government cyber regulatory harmonization efforts. This includes the Cyber Incident Reporting Council’s (“CIRC”) work to coordinate, deconflict, and harmonize Federal incident reporting requirements.[6] Moreover, the requirements are at odds with the National Cybersecurity Strategy’s objective “to harmonize not only regulations and rules, but also assessments and audits of regulated entities” to “minimize the burden of unique requirements.”[7]

As last year’s CIRC report identified, there are at least eight separate incident reporting requirements applicable to financial institutions.[8] Among others, these include the prudential banking regulators’ Computer-Security Incident Notification Rule[9] and the Cyber Incident Reporting for Critical Infrastructure Act.[10] Introducing a new requirement with a distinct threshold and timeframe for reporting threatens to further complicate an already complex regulatory landscape. In fact, according to a recent survey of large financial institutions, firm cyber teams now spend as much as 70 percent of their time on regulatory compliance matters. Therefore, an uncoordinated approach to regulatory reporting requirements is not without consequence and leaves cyber professionals with less time for the core security activities that are essential to effectively managing the organization’s cyber risk.

To read the full comment letter, please click here, or click on the download button below.

[1] The ABA is the voice of the nation’s $23.4 trillion banking industry, which is composed of small, regional, and large banks that together employ approximately 2.1 million people, safeguard $18.6 trillion in deposits, and extend $12.3 trillion in loans.

[2] The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.

[3] The Housing Policy Council is a trade association comprised of the leading national mortgage lenders and servicers; mortgage, hazard, and title insurers; and technology and data companies. Our interest is in the safety and soundness of the housing finance system, the equitable and consistent regulatory treatment of all market participants, and the promotion of lending practices that create sustainable homeownership opportunities in support of vibrant communities and long-term wealth building for families. For more information, visit www.housingpolicycouncil.org.


[5] Id.

[6] DEP’T OF HOMELAND SEC., HARMONIZATION OF CYBER INCIDENT REPORTING TO THE FEDERAL GOVERNMENT 2 (2023), https://www.dhs.gov/sites/default/files/2023-09/Harmonization%20of%20Cyber%20Incident%20Reporting%20to%20the%20Federal%20Government.pdf

[7] OFFICE OF THE NAT. CYBER DIR., NATIONAL CYBERSECURITY STRATEGY 9 (2023), National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov)

[8] DEP’T OF HOMELAND SEC., HARMONIZATION OF CYBER INCIDENT REPORTING TO THE FEDERAL GOVERNMENT 9 (2023), https://www.dhs.gov/sites/default/files/2023-09/Harmonization%20of%20Cyber%20Incident%20Reporting%20to%20the%20Federal%20Government.pdf

[9] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66424 (Nov. 23, 2021).

[10] 6 U.S.C. § 681.