DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/1533987
MortgagePoint » Your Trusted Source for Mortgage Banking and Servicing News 38 April 2025 F E A T U R E S T O R Y Many lenders we have spoken to are working to adapt to the changes, ac- knowledging a steep learning curve. In its June 26, 2024, response to Mortgage Letter 2024-10, the Mortgage Bankers Association (MBA) detailed that the changes pose significant challenges, especially for organizations with smaller IT staff. Pete Mills, MBA's SVP Residential Policy and Strategic Industry Engage- ment, detailed that: "In the initial 12 hours of a cybersecurity incident, lenders are typically just beginning to assess system impacts, may still be actively defending against the intrusion, and might have an impaired ability to communicate with external parties due to compromised systems … In addition, details about an incident can change quickly during those initial hours." The difficulties extend beyond compliance with the tighter reporting window; lenders are also grappling with the ambiguity of what constitutes a "Sig- nificant Cybersecurity Incident." Defining a Significant Cybersecurity Incident I n its letter, HUD defined a significant incident as follows: "A Significant Cybersecurity Incident (Cyber Incident) is an event that actually or potentially jeopardizes, without lawful authority, the confi- dentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee's ability to meet its obliga- tions under applicable FHA program requirements." The MBA expressed concerns about the broadness of this definition, particularly the inclusion of the word "potentially." They noted that under this definition, even minor mishaps, such as a bank employee mistakenly emailing a client's checking account statement to the wrong recipient—could be consid- ered reportable, "even if neither client has a mortgage loan with the bank, let alone an FHA loan." To address these concerns, the MBA proposed a more precise definition: "A Significant Cybersecurity Incident (Cyber Incident) is an event that directly or indirectly impacts the FHA-approved mortgagee's ability to meet its obligations under applicable FHA program requirements, and jeopar- dizes, without lawful authority, the con- fidentiality, integrity, or availability of information or an information system." Industry Support for Clarity A t its recent reverse mortgage lender meetings, NRMLA backed the MBA's call for a more uniform report- ing framework. Industry participants emphasized that a narrower definition is essential to ensure clarity, consistency, and fairness, while allowing lenders to focus on actual risks, and to ensure that industry players can operate on a level playing field. Lenders broadly agreed that balanc- ing compliance with operational reali- ties is critical, especially as the industry attempts to balance compliance with practical operational capabilities. What Comes Next for Lenders? A s the industry adapts to HUD's new cybersecurity requirements, uncertainty lingers. Many lenders have expressed concerns about whether the new regulations could inadver- tently expose them to greater risk by overwhelming their reporting systems and stretching their IT resources thin. Lenders are grappling with the chal- lenge of maintaining compliance while safeguarding their operations against ever-evolving cybersecurity threats. Cybersecurity has always been a moving target for the mortgage industry, and new regulations like HUD's Mort- gage Letter 24-10 add another layer of complexity. In our conversations with industry professionals this fall, the sentiment was overwhelmingly positive. Lenders expressed confidence in their ability to navigate the changes, while remaining hopeful that additional clar- ity and uniformity between regulators could simplify the process. For our part, we will continue to closely monitor how the sector adapts to the tighter timelines. We stand ready to support lenders as they adjust to these new demands. Lenders broadly agreed that balancing compliance with operational realities is critical, especially as the industry attempts to balance compliance with practical operational capabilities.