Q&A: Here’s a question that a Wisconsin credit union recently asked The League’s Legal Affairs team, along with our answer. Do you have a compliance question? Contact The League’s Compliance Hotline at (800) 242-0833 or email.
Q: One of our vendors had a cyber event which has potentially compromised our member’s data. What does the credit union need to do in response?
A: The credit union would want to review the contract with its vendor to understand the responsibilities of all parties involved. Any cyber-event can cause operational, financial and reputational risks for the credit union. The credit union will need to be prepared to address any members’ questions or be able to refer them to a particular person at the vendor for further information.
- Assess the nature and scope of the incident and identify the member information systems and types of member information that have been accessed or misused. “Member information systems” include all of the methods used to access, collect, use, transmit, protect, or dispose of member information, including the systems maintained by service providers.
- Notify the appropriate NCUA Regional Director, and the state regulator (Office of Credit Unions) in the case of state-chartered credit unions, as soon as possible when the credit union becomes aware of an incident involving unauthorized access or use of “sensitive” member information. See the section titled “Notifying the Office of Credit Unions” at the end of this release, which includes a link to a form that state-chartered credit unions should use to notify Wisconsin regulators. “Sensitive” member information means a member’s name, address, or telephone number, in conjunction with the member’s Social Security Number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account. It also includes any combination of components of member information that would allow someone to log onto or access the member’s account, such as a user name with a password or a password with an account number.
- File a Suspicious Activity Report (SAR) and notify appropriate law enforcement authorities for Federal criminal violations requiring immediate attention. For more information on Suspicious Activity Reports, see The League’s ii Release No. 0109.
Take appropriate measures to prevent further unauthorized access or use of member information, such as by monitoring, freezing, or closing affected accounts, while preserving records and other evidence. Credit unions have the flexibility to determine if monitoring accounts is feasible.
- Notify members when warranted.
A credit union’s contract with a service provider should require the service provider to disclose any information to the credit union regarding any breach in security resulting from an unauthorized intrusion into the credit union’s member information system maintained by the service provider. It is the responsibility of the credit union to notify the credit union’s members and regulator, although a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.
*****
NCUA CYBER INCIDENT NOTIFICATION REQUIREMENTS RULE
Federally insured credit unions (and all Wisconsin credit unions are federally insured) must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding such an incident. See NCUA Regulations §748.1(c).
In 2023, the NCUA issued Letter to Credit Unions No. 23-CU-07 to provide credit unions with details about the reporting requirement, resources, and implementation guidelines. The letter includes a Cyber Incident Reporting Quick Reference Guide.
In 2016, FinCEN published an Advisory FIN-2016-A005 that mandated SAR reporting for cyber events where the financial institution “knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions…”
Importantly, the credit union may also be required to file a SAR even where a cyber-event is considered unsuccessful. This is a critical point and shows that the credit union must complete its analysis even for cybersecurity attacks that were thwarted, and may be worthy of express mention in the credit union’s incident response plan. In general, the credit union should include in a SAR “all relevant and available information” regarding a cyber event.
Through this advisory FinCEN advises financial institutions on:
I. Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs);
II. Including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs;
III. Collaborating between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity; and
IV. Sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime.
The credit union should also review FinCENs FAQs when submitting SARs related to cyber-events and cyber-enabled crime.”
Financial institutions should include relevant information in pertinent SAR fields as well as a description of the facts surrounding the cyber-event or cyber-enabled crime in the narrative section. Recognizing that cyber-events and cyber-enabled crime may involve event-specific cyber-related information, FinCEN requests filing institutions to be consistent and use widely used and accepted terminology.