DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/1533987
MortgagePoint » Your Trusted Source for Mortgage Banking and Servicing News 36 April 2025 F E A T U R E S T O R Y CYBERSECURITY CHANGES ARE IMPACTING LENDERS NOW New regulatory mandates, coupled with recent high-profile cyber incidents, have placed the industry on heightened alert, reinforcing the need for proactive cybersecurity measures and robust security protocols. B y G E O R G E M O R A L E S C ybersecurity remains a top priority in industry discussions and in the news. Over the past five years, nearly every business conference we have attended has featured at least one session dedicated to this critical topic. It remains highly relevant and shows no signs of diminishing in importance. Cy- bersecurity was prominently featured on the agendas at both the National Reverse Mortgage Lenders Association (NRM- LA) Annual and the American Credit Union Mortgage Association (ACUMA) Conferences, underscoring its continued significance across the industry. Now, with changes to notification requirements published by HUD in Mort- gagee Letter 2024-10, the topic of cybersecu- rity incidents has become more critical than ever. New regulatory mandates, coupled with recent high-profile cyber incidents, have placed the industry on heightened alert, reinforcing the need for proactive measures and robust security protocols. What's Changing Now I n Mortgage Letter 2024-10, HUD made significant changes to the reporting requirements for FHA lenders regarding "significant cybersecurity incidents," particularly tightening the timeline for such notifications. While HUD welcomed feedback to inform future updates, these took effect immediately. While only three pages long, the letter had a substantial im- pact on the industry, prompting lenders to reevaluate their cybersecurity protocols and response strategies. In a letter, Julia R. Gordon, former Assistant Secretary for Housing wrote: "An FHA-approved Mortgagee that has experienced a suspected Cyber Incident must report the Cyber Incident to HUD's FHA Resource Center … and HUD's Security Operations Center … within 12 hours of detection." While this timeline underscores HUD's urgency in addressing cybersecurity, it often takes time for orga- nizations to fully understand the nature and severity of a cybersecurity incident, making compliance with the requirement particularly challenging. The problem for many lenders lies in the conflicting requirements set by other agencies. While HUD has implemented stricter timelines for reporting significant cybersecurity incidents, other agencies, such as the Office of the National Cyber Director and Ginnie Mae, allow for greater flexibility in the reporting process. Notably, at the recent conversations at the NRMLA HUD Issues Committee meeting, cybersecurity took center stage, highlighting the industry's growing con- cern and the urgent need for clarity and alignment on these critical requirements. The concerns are understandable. Recent high-profile cyber incidents have exposed vulnerabilities across the mort- gage lending sector, raising alarms about potential data breaches and operational disruptions. As detailed by Matt Kapko in the February 6, 2024, edition of "CyberSe- curityDive," some of the largest compa- nies in the industry have fallen victim to cyberattacks, resulting in "delayed closing times on new loans and prevented cus- tomers from making payments." Within the last year, we have seen some of the largest companies in our industry falling prey to cybercriminals. Understanding the New Requirements T he introduction of HUD's new cyber- security incident reporting standards has raised widespread discussion about operational readiness among lenders, particularly among smaller lenders that lack the resources of larger financial institutions. G E O R G E M O R A L E S is National Sales Director at Mortgage Cadence. He is also Chair of MISMO's Reverse Mortgage Development Workgroup. Connect with George on LinkedIn at www.linkedin. com/in/lbgem/.