CUNA is now America’s Credit Unions. A stronger voice to advance the credit union industry.
By TraceSecurity October 4, 2023
Starting September 1, 2023, the NCUA made a change to their Cyber Incident Notification Requirements rule (Part 748). When a cyber incident rises to the level of a “reportable cyber incident,” all federally insured credit unions must notify the NCUA as soon as possible, no later than 72 hours. This includes reportable cyber incidents from the credit union’s third-party vendors.
This change is in line with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) which was enacted in 2022. The Cybersecurity and Infrastructure Agency (CISA) has until 2025 to publish their final rule implementing the requirements, and the NCUA intends to align their requirements with this rule. The NCUA Board will continue to coordinate with CISA on future credit union cyber incident reporting to avoid any duplicate reporting requirements.
The NCUA has defined a reportable cyber incident as “any substantial cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”
This excludes any event where the cyber incident was performed in good faith at the request of the owner/operator of the information system – things like your annual penetration testing or phishing simulation.
If your credit union determines that a cyber incident has occurred, the first thing to do is determine if it is reportable.
Reportable:
Not Reportable:
If your credit union is ever unsure of whether an incident should be reported, it’s best to err on the side of caution and notify the NCUA as soon as possible.
There are two ways to report a cyber incident at your credit union:
What does the NCUA need to know? Be prepared to include the following information in your voicemail or secure email.
Do Send
Don’t Send
If the NCUA requires additional information, they will follow up with your credit union directly.
There are a few things that your credit union can do to prepare for a potential cyber incident.
Credit unions need to be prepared for the NCUA’s update to its Cyber Incident Notification Requirements. The new requirements started on September 1, 2023, to get ahead of CISA’s Cyber Incident Reporting for Critical Infrastructure Act that was enacted last year. For more information, check out the NCUA’s Cyber Incident Notification Requirements Letter to Credit Unions.
TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.