The League – Fostering Financial Wellbeing for All

NCUA proposes new cyber incident reporting rule

Comment Call Compliance Courier

Written by

in

COMMENT CALL:   The NCUA has proposed a new rule that would require a federally insured credit union (FICU) to notify the agency within 72 hours after they reasonably believe that a “reportable cyber incident” has occurred. 

Under the proposal, a “cyber incident” would mean “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”
 
Such an incident would rise to the level of being “reportable” if the FICU deems it to be “substantial” and if it leads to one or more of the following: 

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise. 
The proposal does not define “substantial,” but according to the NCUA’s preamble to the rule, “[w]hat a FICU would consider to be substantial will likely depend on a variety of factors, including the size of the FICU, the type and impact of the loss, and its duration, for example. The agency expects a FICU to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency.” FICUs would be encouraged to contact NCUA if they are unsure whether a cyber incident is “substantial.”
 
The NCUA’s proposal includes these examples of reportable cyber incidents:
  1. A computer hacking incident that disables a FICU’s operations.
  2. A ransom malware attack that encrypts a core banking system or backup data.
  3. Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information (PII).
  4. A detected, unauthorized intrusion into a network information system.
  5. Discovery or identification of “zero-day malware” (a cyber-attack that exploits a previously unknown hardware, firmware, or software vulnerability) in a network or information system.
  6. Internal breach or data theft by an insider.
  7. A systems compromise resulting from card skimming.
  8. Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.
 A FICU’s report of a cyber incident to the NCUA would have to include certain information like:
  • A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been, affected.
  • The estimated date range during which the reportable cyber incident took place.
  • Where applicable, a description of the exploited vulnerabilities and the techniques used to perpetrate the reportable cyber incident.
  • Any identifying or contact information of the actor(s) reasonably believed to be responsible.
  • The impact to the FICU’s operations. 

While the NCUA is proposing a 72-hour time frame, depending on the comments received, the final rule may provide a shorter time frame, such as 36 hours – the deadline federal banking agencies require under their rules. 

Make your voice heard

The League plans to comment on the NCUA’s proposal, but we’d like your feedback. Do you support the proposal? Why or why not? Please email your thoughts to Paul Guttormsson at The League by Sept. 19, so that our comment letter (which is due to the NCUA by Sept. 26) can reflect your concerns.

More posts