The FHA has issued Mortgagee Letter 2024-10. It outlines strict rules for reporting major cybersecurity incidents. It’s based on advice from the Department of Homeland Security (DHS). This solution follows the Federal Information Security Modernization Act (FISMA) from 2014. It also follows the recommendations of many contributing agencies.

The HUD acts under a US Government initiative to combat cybercriminals. Thieves are trying to steal data or disrupt businesses. They target the handling or securing of home purchasers’ information. They also try to extort the mortgagee or consumer. 

The letter has two takeaways. First, we’ve got to plan ahead. Second, we’ve got to have a quick response. 

What is HUD asking in this notification? 

You are an approved Mortgagee. This letter states that you must report a real or suspected event within 12 hours of finding it. You must report it to both the HUD FHA Resource Center ( Also, report it to HUD’s Security Operations Center ( 

So, what is a “cyber incident” that requires me to report it?   

A cyber incident is a successful attack or entry into a computing system. This includes laptops, clouds, servers, and mobiles. You must report it if it violates any of the following:

  • the confidentiality of the information, data, and transactions.
  • the integrity of the data or systems handling the data
  • The availability of the information or the systems that handle the information.

This information includes social security and financial numbers. For the business and/or the consumer. It is also a “successful cyberattack” if you think someone has touched the data. This includes files or folders, a loan or other document, disrupted flow or storage.  You have to report it. 

What information do you need to collect? 

HUD needs to know several facts about your cyber incident when you email the two addresses above:

  • The name of the mortgagee
  • The Mortgage ID number
  • Give the name, email, and phone number of Mortgagee’s Security Operations Center. Or, give the contact info for the person responsible for Security at the Mortgagee.
  • The Cyber Incident description including:
  • Date of incident 
  • Cause of incident 
  • Impact to Personal Identifiable Information  
  • Impact to the login credentials  
  • Impact to the systems affected by the Cyber Incident 
  • Were any subsidiaries or parent company affected? 
  • Current status of the Incident response taken 
  • Were law enforcement agencies involved or notified? 

Can we take proactive steps to reduce or prevent cyber incidents? 

The good news is -yes.  A big YES!  Cyber Security focuses on three areas: People, Process, and Technology. Each of these plays an integral part in your protection and the information of the consumer. Goliath Cyber Security Group recommends evaluating each of these areas. It’s key for a healthy and resilient security posture. 


Train your staff in the latest cyber threats that affect your business. Test them often to ensure retention of the “good behaviors” are in place. Prevention starts with our people. 


Build a program to handle cyber “bumps in the night.” These happen when someone tries to break into the business and data you protect.  Test the process using tabletop exercises, which “role-play” an attack. This helps improve the program step by step. It makes sure each person knows what to do. 


Choosing and using technology well keeps out the bad actors. It also protects our employees and information. It also helps us work in the most optimal way. Enabling the features, integration, and tools with automation helps. It makes a resilient security environment of protection. 

If you have firewalls or security tools, they block unauthorized access. They prevent access to these systems, files, or information. This includes EDR/XDR/MDR computer protection. So, they’re doing their jobs.

If no one breached your defenses and no alerts or events suggest a breach, you don’t need to report this to HUD. The security tools are working. Note: if there is a sign of an attack, let your security staff check. As a precaution. 

What if I’m not a Cyber Expert?  Goliath Cyber Security Group stands ready to be your partner in simplifying cybersecurity. We work with those in the mortgage and financial spaces. You focus on mortgages. We focus on your protection.

Don’t wait for a breach! Contact Goliath Cyber today for proactive cybersecurity!


Comments are closed