The Window to Report Breaches Shrinking
While it seems that some companies continue to be clueless and others get fined (and sued) for delaying reporting breaches, the window (and door) is closing rapidly on that.
The SEC says that publicly traded companies have 4 days after determining that a breach is material to file an 8-K to notify investors.
DoD contractors have 72 hours to report their breach.
Gone are the days (at least if you want to be legal) of reporting breaches in 30, 60, 90 days or more.
Health and Human Services is in the process of updating the HIPAA reporting rules. Expect their window to narrow as well.
Last week the Federal Housing Administration issued a “Mortgagee Letter” with their good news.
The FHA is one of the largest insurers of home mortgages and this “ML” takes effect immediately for any mortgagee (aka mortgage lender) who originates loans that are insured by the FHA.
Mortgagee Letter 2024-10, dated Mary 23, 2024 says two important things besides that it takes effect immediately.
- If an FHA-approved letter experiences a SUSPECTED significant cybersecurity incident, they have TWELVE HOURS TO REPORT IT TO HUD’S SECURITY OPERATIONS CENTER.
- In addition to notifying HUD, there is a list of information HUD would like you to provide them within those 12 hours. That includes:
Cyber Incidents reported to HUD’s FHA Resource Center at
answers@hud.gov and HUD’s Security Operations Center at
cirt@hud.gov must include the following information:
- Mortgagee name;
- Mortgagee ID;
- name, email address, and phone number of Mortgagee’s point of
contact for Security Operations Center follow-up activities; - description of the Cyber Incident, including the following, if
known:
o date of Cyber Incident;
o cause of Cyber Incident;
o impact to Personally Identifiable Information;
o impact to login credentials; and
o impact to Information Technology (IT) system architecture; - list of any impacted subsidiary or parent companies; and
- description of the current status of the Mortgagee’s Cyber
Incident response, including whether law enforcement has been
notified.
Note that this is effective immediately.
A copy of the letter can be found here.
I suspect that this is a reaction to the multiple large lender breaches this winter like Fidelity, First American, Mr. Cooper and others.
Assuming you can whip up that list in 12 hours, you are good to go.
On the other hand, if you can’t do that, now might be a good time to update your cybersecurity and privacy program.
If you need help, please contact us.