New NCUA Cyber Incident Reporting Rules
October 4, 2023
Starting September 1, 2023, the NCUA made a change to their Cyber Incident Notification Requirements rule (Part 748). When a cyber incident rises to the level of a “reportable cyber incident,” all federally insured credit unions must notify the NCUA as soon as possible, no later than 72 hours. This includes reportable cyber incidents from the credit union’s third-party vendors.
This change is in line with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) which was enacted in 2022. The Cybersecurity and Infrastructure Agency (CISA) has until 2025 to publish their final rule implementing the requirements, and the NCUA intends to align their requirements with this rule. The NCUA Board will continue to coordinate with CISA on future credit union cyber incident reporting to avoid any duplicate reporting requirements.
The NCUA has defined a reportable cyber incident as “any substantial cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”
This excludes any event where the cyber incident was performed in good faith at the request of the owner/operator of the information system – things like your annual penetration testing or phishing simulation.
So, What Does This Mean for Your Credit Union?
If your credit union determines that a cyber incident has occurred, the first thing to do is determine if it is reportable.
- Exposure of sensitive member information
- Successful malware/ransomware attack
- Disruption to business operations or member services
- Compromise or sensitive data exposure of a third-party vendor
- Blocked phishing attempt
- Unsuccessful malware attack
- Authorized/requested incidents, like third-party penetration testing
- Scheduled maintenance or system updates that require systems to be temporarily unavailable
If your credit union is ever unsure of whether an incident should be reported, it’s best to err on the side of caution and notify the NCUA as soon as possible.
There are two ways to report a cyber incident at your credit union:
- Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail
- Use the NCUA’s Secure Email Message Center to send a secure email to email@example.com
What does the NCUA need to know? Be prepared to include the following information in your voicemail or secure email.
- Credit union name and charter name
- Name and title of individual reporting the incident
- Phone number and email address
- When the credit union reasonably believed a reportable incident took place
- Brief description of the reportable incident
- Sensitive personally identifiable information
- Indicators of compromise
- Specific vulnerabilities
- Email attachments
If the NCUA requires additional information, they will follow up with your credit union directly.
Implementation: Be Prepared
There are a few things that your credit union can do to prepare for a potential cyber incident.
- Update Response Plans: Make sure your incident response plan includes actions to satisfy these new reporting requirements. Assign NCUA incident reporting to a specific person or people, including any necessary escalation procedures from employees, vendors, etc. When updating your plan, remember that reporting must occur as soon as possible, within the 72-hour window.
- Review Contracts: This is the perfect opportunity to review your third-party vendor contracts, especially those for your critical service providers. Do the contracts include timely notification of cyber incidents?
- Train Employees: Make sure your employees understand the importance of cyber incident reporting, and their role in avoiding the potential consequences. Any employee could be the start of a cyber incident, and proper escalation can make or break how it can be handled.
- Monitor & Review: Regularly review your internal processes for cyber reporting using tabletop exercises, which are already being mandated through the NCUA’s new Information Security Examination (ISE) requirements. By adding NCUA reporting to your incident response plan, it can be included in these types of exercises to evaluate effectiveness and make improvements.
- Documentation: Regardless of whether it needs to be reported, credit unions should document all cyber incidents. By maintaining these records, your credit union can help respond to similar incidents in the future, as well as provide an audit trail to support additional cybersecurity investments.
Credit unions need to be prepared for the NCUA’s update to its Cyber Incident Notification Requirements. The new requirements started on September 1, 2023, to get ahead of CISA’s Cyber Incident Reporting for Critical Infrastructure Act that was enacted last year. For more information, check out the NCUA’s Cyber Incident Notification Requirements Letter to Credit Unions.
TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.