NEWS: Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
The League has previously published this Compliance Courier with basic information about the new Cyber Incident Notification Requirements rule. But recently, the NCUA issued Letter to Credit Unions No. 23-CU-07 to provide credit unions with more details, resources, and implementation guidelines. The letter includes a Cyber Incident Reporting Quick Reference Guide.
“Cyber incidents”
The letter begins by reviewing the definition of a “cyber incident,’ which means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.
It goes on to explain that a “reportable cyber incident” means any substantial cyber incident that leads to one or more of the following outcomes:
- A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
- A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.
The letter gives further details on what each of those three outcomes means.
If a federally insured credit union is unsure as to whether a cyber incident is reportable, it should contact the NCUA as soon as possible.
When to report
The rule requires a federally insured credit union that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes that it experienced a reportable cyber incident. The 72 hours begins when the credit union forms a reasonable belief a reportable cyber incident has taken place.
When a federally insured credit union receives a notification from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident, the credit union has 72 hours to report to the NCUA. This timeframe starts from the moment the credit union receives the notification from the third party or when the credit union forms a reasonable belief that such an incident has occurred, whichever is sooner.
How to Report
To report a cyber incident, federally insured credit unions may notify the NCUA through one of the following channels:
- Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail; or
- Use the National Credit Union Administration Secure Email Message Center to send a secure email to cybercu@ncua.gov. An enclosure to the NCUA’s letter includes NCUA Secure Email Message Center Instructions.
What to Report
Federally insured credit unions should be prepared to provide as much of the following information as is known at the time of reporting:
- Credit union name;
- Credit union charter number;
- Name and title of individual reporting the incident;
- Telephone number and email address;
- When the credit union reasonably believed a reportable cyber incident took place; and
- A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.
At the time of initial notification, do not send the NCUA:
- Sensitive personally identifiable information;
- Indicators of compromise;
- Specific vulnerabilities; or
- Email attachments.
If the NCUA requires additional information or clarification, it will follow up with the credit union directly.
Implementation Guidelines
The NCUA says that credit unions should complete the following steps when implementing the rule.
Update Response Plan: Review the existing incident response plan and update it to align with the new rule. This includes incorporating the reporting requirement timeframes and procedures for notifying the NCUA. Ensure the plan includes clear guidelines for identifying reportable incidents and escalation procedures for notifying management and the NCUA.
Review Contracts: Review contracts with critical service providers to determine if there are provisions requiring timely notification of cyber incidents.
Train Employees: Provide training to all employees, emphasizing the importance of reporting cyber incidents and the potential consequences of noncompliance. Ensure that employees understand their role in identifying and reporting incidents and provide them with necessary resources and guidance.
Monitor and Review: Regularly monitor and review the cyber incident reporting process to validate its effectiveness. Conduct periodic tests and exercises to evaluate the efficiency of the incident response plan and reporting procedures. Use lessons learned from these exercises to make improvements and update the plan.
Document All Incidents: Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain records in accordance with the organization’s retention policies. This documentation is essential and serves as a valuable resource for future incident response and reporting efforts.
Documentation also provides an audit trail to support management’s reporting decisions. Specifically, document:
- Indicators of compromise;
- Network information or traffic regarding the attack;
- The attack vector;
- Information on any exfiltrated data; and
- Any forensic or other reports about the reportable cyber incident.