NEWS: The NCUA will host a webinar on August 2, 2023 at 1 p.m. CDT to provide more information on the new Cyber Incident Reporting Rule that takes effect on September 1, 2023. You can register for the webinar here.
As you may recall, in February, the NCUA approved a final rule on cyber incident notification requirements for federally insured credit unions (FICUs). The new rule requires a FICU to notify NCUA within 72 hours after it reasonably believes that a reportable cyber incident has occurred. We briefly discussed the new rule in this Compliance Courier. The rule adds a new subsection (c) to 12 CFR Part 748.1.
The new rule states that a “reportable” cyber incident is an incident that leads to at least one of the following outcomes:
- A substantial loss of the confidentiality, integrity, or availability of a network or member information system that (i) results from the unauthorized access to or exposure of sensitive data, (ii) disrupts vital member services, or (iii) seriously impacts the safety and resiliency of operational systems and processes;
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
- A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.
To help provide some clarity on the scope of the new rule, the NCUA stated it would retain the non-exhaustive examples of reportable cyber incidents from the proposed rule, which include:
- If a credit union becomes aware that a substantial level of sensitive data is unlawfully accessed, modified, or destroyed, or if the integrity of a network or member information system is compromised;
- If a credit union becomes aware that a member information system has been unlawfully modified and/or sensitive data has been left exposed to an unauthorized person, process, or device, regardless of intent;
- A distributed denial-of-service attack that disrupts member account access;
- A computer hacking incident that disables a credit union’s operations;
- A ransom malware attack that encrypts a core banking system or backup data;
- Third-party notification to a credit union that they have experienced a breach of a credit union employee’s personally identifiable information;
- A detected, unauthorized intrusion into a network information system;
- Discovery or identification of zero-day malware (which is a cyber-attack that exploits a previously unknown hardware, firmware, or software vulnerability) in a network or information system;
- Internal breach or data theft by an insider;
- Member information compromised as a result of card skimming at a credit union’s ATM; or
- Sensitive data exfiltrated outside of the credit union or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.
Accordingly, credit unions should ensure their incident response plan and written information security policies are consistent with the new rule. At a minimum, this should include key points of contact for the credit union in the event of an incident. The plan should also contain examples of the types of incidents that may trigger a notification obligation.
The NCUA will provide additional reporting guidance prior to the final rule going into effect. However, anytime a FICU is unsure whether a cyber incident is reportable, the NCUA encourages the FICU to contact the agency.