Complying with NCUA’s Cyber Incident Reporting Rules for Credit Unions

New standards for credit unions to report cyber incidents are in effect by the NCUA. The final regulation mandates that credit unions that are federally insured must declare a “reportable cyber incident” to the NCUA within 72 hours of the incident occurring. The NCUA’s final regulation follows the 36-hour notice requirement imposed on banking institutions last year. Although the final rule increases credit unions’ reporting requirements, it may also force them to disclose far more incidents to the NCUA than the requirement for banking institutions. The new rule carries the trend of regulators emphasizing financial institutions’ cybersecurity precautions, specifically mandating quicker reports of events.

Why is the Rule being Implemented?

The rule became operative on September 1, 2023, following an executive order on Cyber Incident Reporting for Critical Infrastructure. In the event of a coordinated attack or widespread event, the NCUA can share the information with the Cybersecurity and Infrastructure Security Agency, CISA, improving cybersecurity awareness, cooperation, and information sharing in the industry.

Understanding the New Rule

According to the rule, credit unions must notify the NCUA of any reportable cyber incident within 72 hours of their reasonable belief that it has occurred. The notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe.

Under the final rule, federally insured credit unions must report a cyber incident that leads to a substantial* confidentiality, integrity, or availability of a network or member information system because of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.

*Substantial, as defined by each credit union. Credit Union leaders in technology, risk, and compliance should identify and document what a substantial incident would entail for their organization.

Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system require reporting to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack. Events would include disruption of business operations or unauthorized access to sensitive data caused by a supply chain compromise, CUSO, cloud service provider, managed service provider, or other third-party data hosting provider; and disruption of business operations or vital member services or a member information system, because of a cyberattack or the exploitation of vulnerabilities.

Instances of Reportable Events

A few instances of what could qualify as a reportable cyber incident were provided in the NCUA’s final regulation, including but not limited to:

If sensitive data was improperly altered or exposed to an unauthorized person, process, or device; if a system update or modification went wrong and caused unanticipated, widespread user outages for credit union staff and members; or the disruption of member account access through a distributed denial of service (DDoS) assault.

It is stated in the rule that certain instances, such as failed malware assaults or failed attempts to access systems, are exempt from reporting requirements. Furthermore, there is no notification obligation in the case of third-party incidents that are unknown to a credit union and contain information about people who happen to be members or employees of the credit union.

How Do You Report an Incident?

Incidents may be reported to the NCUA “via email, telephone, or other similar methods that the NCUA may prescribe,” per the final regulation. The reporting procedures allow credit unions to adjust according to the potential impact of a cyber-attack. Furthermore, the NCUA has emphasized that a preliminary report should not contain a comprehensive incident analysis. Find contact information here.

How can I prepare?

• Add a reporting section to your Incident Response Plan. Identify when the decision will be made, by whom, and how it will be documented. Consider building a decision flow chart to ensure the completion of all critical steps.
• Add reporting considerations to incidents involving vendor management and suppliers. Be prepared to act on incidents where a supplier action may expose sensitive data.
• Train incident response team personnel on this new requirement and any new steps they may take during the response process.
• Build the reporting processes into tabletop exercises and rehearse quarterly.

New guidelines and regulations are not uncommon for credit unions. As credit unions grow larger and more complex, the regulatory framework must keep pace to maintain the strength and stability of the entire credit union system. As such, we will continue to see the NCUA respond to changes that address emerging risks. Keeping current on advisories and information from the NCUA will help prepare us for the subsequent critical regulations. Pure IT’s Professional Services Team is available to advise and lead your team through new regulations, ensuring proper documentation, processes, and policies are in place to protect your credit union.