NCUA Cyber Incident Notification Requirements

On February 28, 2023, the NCUA published the final rule for the Cyber Incident Notification Requirements for Federally Insured Credit Unions. This final rule follows a similar rule for banks published by the Agencies on published in late 2021.

The credit union rule is effective September 1, 2023 and requires that “covered institutions notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.”

The rule defines a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”

This includes any substantial cyber incident that leads to one or more of the following outcomes:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

Ultimately, credit unions must use reasonable judgment to determine whether an incident is “substantial”. That determination may include a function of many things including size, type and impact of the loss, and the duration of the incidents.

While banks only have 36 hours to report incidents of similar nature, credit unions have been afforded 72 hours. The 72 hour time clock begins once the credit union forms a reasonable belief that it has experienced a reportable incident. Additionally, credit unions have 72 hours to report to the NCUA its receipt of a notification letter from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident. This timeline begins as soon as the credit union receives notification from the third party or when the credit union forms a reasonable belief such an incident has occurred, whichever is sooner.

You can read more on how to implement this new rule in the DefenseStorm series authored for the bank’s new rule on our blog What Banks and Credit Unions Must Know About the New Computer Security Incident Notification Rule PART 1 and What Banks and Credit Unions Must Know About the New Computer Security Incident Notification Rule PART 2

In response to the new cyber incident notification requirements from all regulatory agencies, DefenseStorm added a field titled “Notified Regulators” to our Incidents. This field allows our users to mark an incident as a reportable incident under the new rule. This allows users to isolate and report on those incidents to easily provide supporting information related to the incident to auditors, examiners and other stakeholders.

SOURCES:

NCUA Cyber Incident Notification Requirements