Federally insured credit unions are now required to report a cyber incident to the National Credit Union Administration (NCUA) Board within 72 hours. This final rule was unanimously approved by the NCUA on February 17, 2023 and will take effect September 1, 2023 – giving credit unions just over 6 months to update their data incident response teams, policies, and procedures accordingly.
The new rule states that a “reportable” cyber incident is an incident that leads to at least one of the following outcomes:
- A “substantial loss” of the confidentiality, integrity, or availability of a network or member information system that (i) causes the unauthorized access to or exposure of “sensitive data,” (ii) disrupts vital member services, or (iii) seriously impacts the “safety and resiliency” of operational systems and processes;
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
- A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.
If a credit union experiences any of these outcomes, it must notify the NCUA “as soon as possible but no later than 72 hours” from the time it reasonably believes that it has experienced a reportable cyber incident. Disruption to business operations seems to be the central consideration in whether cyber incident will be reportable, which mirrors the considerations of banking regulator’s final rule that governs federally insured banks. The NCUA has indicated that it will issue additional guidance before the rule goes into effect on September 1, 2023, including examples of both non-reportable and reportable incidents, and the proper method for providing notice to the NCUA via email, telephone, or other similar prescribed methods. This initial notification is merely an “early alert” to NCUA and does not require a detailed incident assessment within that initial 72-hour time frame.
In response to public comments, the NCUA clarified that this reporting requirement is distinct from the current five-day period to report “catastrophic acts,” which are defined as “any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services” that is projected to last more than two consecutive business days. The NCUA dismissed concerns that it may be difficult for credit unions to differentiate between a “catastrophic act” and “reportable cyber incident,” and rejected requests to apply the longer five-day reporting period for events that may fall within both definitions. The NCUA also noted that “catastrophic acts” includes non-natural disasters such as a power grid failure or physical attack and indicated that it may provide additional clarification at a later date if needed. As currently drafted, a reportable cyber incident may very well fall within the scope of such definitions, and if that is the case, credit unions should likely err on the side of reporting the incident within 36 hours. To provide some clarity on the scope of the new rule, the NCUA stated it would be retaining the non-exhaustive examples set forth in the proposed rule constituting reportable cyber incidents, which include:
- If a credit union becomes aware that a substantial level of sensitive data is unlawfully accessed, modified, or destroyed, or if the integrity of a network or member information system is compromised;
- If a credit union becomes aware that a member information system has been unlawfully modified and/or sensitive data has been left exposed to an unauthorized person, process, or device, regardless of intent;
- A DDoS attack that disrupts member account access;
- A computer hacking incident that disables a credit union’s operations;
- A ransom malware attack that encrypts a core banking system or backup data;
- Third-party notification to a credit union that they have experienced a breach of a credit union employee’s personally identifiable information;
- A detected, unauthorized intrusion into a network information system;
- Discovery or identification of zero-day malware (which is a cyber-attack that exploits a previously unknown hardware, firmware, or software vulnerability) in a network or information system;
- Internal breach or data theft by an insider;
- Member information compromised as a result of card skimming at a credit union’s ATM; or
- Sensitive data exfiltrated outside of the credit union or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.
On the other hand, blocked phishing attempts, failed attempts to gain access to systems, and unsuccessful malware attempts would not trigger a reporting requirement.
Notably, the NCUA’s reporting timeline is longer than the 36-hour timeline that applies to banks. The NCUA chose the 72-hour timeline in an effort to align the rule to reporting requirements for critical infrastructure, and specifically, to the requirements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires certain entities in critical infrastructure sectors—such as financial services, telecommunications, information technology, healthcare, energy, and others—to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency. This timeframe also aligns with GDPR and the UK Data Protection Act 2018, which require notification to the supervisory authority “without undue delay” and, where feasible, not later than 72 hours of becoming aware of a reportable breach. The NCUA decided to roll out its final reporting rule even though the final rule implementing CIRCIA is not required to be published until 2025. Although the upcoming NCUA regulations will provide additional guidance, companies should not delay putting systems into place to detect and report cyber incidents where appropriate. Such preparations could include conducting training to ensure that employees are aware of the new reporting requirements, a chain of command for reporting suspected cyber incidents for review, updating the credit union’s incident response plan, and assigning relevant task owners for various phases of the incident response plan. Some aspects of the incident response plan will likely need to be supplemented once the NCUA issues additional guidance closer to the implementation date; however, credit unions should not delay in revisiting their data security monitoring and incident response procedures given the short notification timeframe.