DEFENSESTORM BLOG

NCUA Cyber Incident Notification Requirements

Wednesday, August 16th, 2023

VIEW ALL INSIGHTS

Cyber security risk management solutions from DefenseStorm.

NCUA Cyber Incident Notifications Requirement goes into effect September 1, 2023.  The final rule requires that covered institutions notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

On February 28, 2023, the NCUA published the final rule for the Cyber Incident Notification Requirements for Federally Insured Credit Unions. This final rule follows a similar rule for banks published by the Agencies on published in late 2021.

The credit union rule is effective September 1, 2023 and requires that “covered institutions notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.”

The rule defines a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”

This includes any substantial cyber incident that leads to one or more of the following outcomes:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

Ultimately, credit unions must use reasonable judgment to determine whether an incident is “substantial”. That determination may include a function of many things including size, type and impact of the loss, and the duration of the incidents.

While banks only have 36 hours to report incidents of similar nature, credit unions have been afforded 72 hours. The 72 hour time clock begins once the credit union forms a reasonable belief that it has experienced a reportable incident. Additionally, credit unions have 72 hours to report to the NCUA its receipt of a notification letter from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident. This timeline begins as soon as the credit union receives notification from the third party or when the credit union forms a reasonable belief such an incident has occurred, whichever is sooner.

You can read more on how to implement this new rule in the DefenseStorm series authored for the bank’s new rule on our blog What Banks and Credit Unions Must Know About the New Computer Security Incident Notification Rule PART 1 and What Banks and Credit Unions Must Know About the New Computer Security Incident Notification Rule PART 2

In response to the new cyber incident notification requirements from all regulatory agencies, DefenseStorm added a field titled “Notified Regulators” to our Incidents. This field allows our users to mark an incident as a reportable incident under the new rule. This allows users to isolate and report on those incidents to easily provide supporting information related to the incident to auditors, examiners and other stakeholders.

SOURCES:

NCUA Cyber Incident Notification Requirements

Jessica Caballero

Jessica Caballero

Senior Product Manager - Compliance

Jessica Caballero, Senior Product Manager Compliance and Risk, CERP, CRCM. Jessica was an examiner for the Office of the Comptroller of the Currency (OCC). After leaving the agency, and also worked as both a banker and a consultant focused mainly on compliance and risk management. Since 2015, Jessica has applied her subject matter expertise to the creation of technology solutions that solve critical problems for financial institutions. At DefenseStorm, she leads product decisions specific to compliance and risk as a Senior Product Manager. Jessica earned her bachelor’s degree in business economics from Texas State University and achieved the Certified Enterprise Risk Professional (CERP) and Certified Regulatory Compliance Manager (CRCM) designations from the American Banker Association (ABA).