Skip to content


New Cyber Security Requirements for the 2022 Pennsylvania Housing Finance Agency (PHFA) Multifamily Housing Underwriting Application

According to documents from PHFA there are new requirements surrounding cyber security for 2022 applicants. According to the 2022 Qualified Allocation Plan, “Applicants must demonstrate the use of affirmative cyber security measures as a central element in their regular business procedures and practices. All applicants must certify to the Agency the presence of ongoing cybersecurity practices which include, at a minimum, the following principles: 1) multifactor authentication procedures; 2) password policies; 3) the use of system security software; and 4) staff cyber security education.”

These conditions are required regardless of the size of the applicant’s organization or environment. These four items are basic requirements any organization should have in place to protect their employees and the data of their residents, clients, or customers.

Social engineering is one of the best routes to hack into an organization and gain sensitive data. Social engineering involves the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. This may take the form of phishing, emails that try to get users to give up their passwords or other personal information that would lead to unauthenticated access to the organization’s environment. It may take the form of a phone call or a Facebook game that asks personal information. The attackers are particularly good at this, and employees need to be aware of potential breaches caused by this vulnerability. The avenues hackers are using for social engineering are always changing.

Multifactor Authentication

Multifactor Authentication helps in multiple ways and is the first requirement for a PHFA applicant. It can reassure the organization that if social engineering does work for the attacker there is still another line of defense. Once the attacker gains the user’s password they still must get through another form of authentication. Usually, the second form of multifactor authentication will be an approval sent to the user’s smart phone. Multifactor authentication has been available for many years and is something every organization should implement regardless of their size.

Bad passwords, repeating passwords, and common passwords have also been around for decades. Organizations need to make sure users understand the importance of unique complex passwords. For example, if a user uses the same password for their Lowe’s account as well as their/your organization and either is breached the attacker will have access to both. A password management tool is essential in the current environment.

Password Policies

Password policies helps the organization stay secure and is the second requirement for a PHFA applicant. My suggestion would be to use Microsoft, SANs or Center for Information Security’s password recommendations and document those standards in an IT Policy that is communicated and signed off by all staff annually. I would also configure your IT environment to only allow the passwords that meet the minimum standards in your IT policy.

Not knowing something is breached should not make you feel secure but at times we are lulled into that feeling of security. In order for organizations to know they have an issue we need to have system security software in place to recognize the issue, notify the proper IT professionals and react to the issue.

System Security Software

System security software comes in many forms and is the third requirement for the PHFA applicant. My suggestion would be CrowdStrike or SentinelOne. Both are great applications and are a defense against ransomware and other vulnerabilities. There is a difference between system security software. If you are using the same application that you used 10 years ago it is more then likely not effective in today’s environment.

Employees or users in the organization are by far the weakest link in security. I do not mean to put down the employee or user but those are the facts. We can have a million dollars of security equipment in the environment and still get breached if the employee gives up their password on Facebook and approves their multifactor authentication that they did not initiate.

Staff Cyber Security Education

Staff Cyber Security Education is the fourth requirement of the PHFA applicant. PHFA will be putting out a list of Agency approved cybersecurity courses. I encourage you to think of this as an investment in your organization and employees rather then an expense. The better the security controls are in your environment the less headaches down the road.

If you have questions or need further explanation on the four requirements for the 2022 PHFA Multifamily Housing Underwriting Application, please contact David Hammarberg, leader of McKonly & Asbury’s SOCCybersecurity, Forensic Examination, and Information Technology practices. McKonly & Asbury is a leader in accounting and consulting for affordable housing partnerships. Our team has the specialized knowledge to help you ensure you comply with PHFA requirements.

About the Author

David Hammarberg

David is a Partner with McKonly & Asbury. He has been an integral part of our firm for over 20 years, serving our clients in a variety of information technology and accounting capacities. David’s expertise and service focus areas inclu… Read more

Related Services

Related Industries

Subscribe to Our Newsletter

Contact Us