The NCUA Board unanimously approved a final rule that requires a federally insured credit union to notify the NCUA as soon as possible, and within 72 hours, after it reasonably believes that a reportable cyber incident has occurred. Under the final rule, federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack.
The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe.
The effective date of this final rule is September 1, 2023.
The NCUA will provide additional reporting guidance prior to the final rule going into effect.
What is a Reportable Cyber Incident? The rule defines a reportable cyber incident as:
(i) A reportable cyber incident is any substantial cyber incident that leads to one or more of the following:
(A) A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.
(B) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
(C) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.
A reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.
What is a Cyber Incident? Cyber Incident is defined as:
An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.
What is a Cyber Attack?
An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
The Overview of the Final Rule includes a three-prong test for determining whether the cyber incident must be reported to the NCUA:
The first prong of the reportable cyber incident definition will require a FICU to notify the NCUA of a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. For example, if a FICU becomes aware that a substantial level of sensitive data is unlawfully accessed, modified, or destroyed, or if the integrity of a network or member information system is compromised, the cyber incident is reportable. If the credit union becomes aware that a member information system has been unlawfully modified and/or sensitive data has been left exposed to an unauthorized person, process, or device, that cyber incident is also reportable, irrespective of intent.
There are many technological reasons why services may not be available at any given time as, for example, computer servers are offline, or systems are being updated. Such events are routine and thus would not be reportable to the NCUA. However, a failed system upgrade or change that results in unplanned widespread user outages for FICU members and employees would be reportable.
The second prong of the reportable cyber incident definition will require reporting to the NCUA in the event of a cyberattack that leads to a disruption of business operations, vital member services, or a member information system. Cyberattacks that cause disruption to a FICU’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a FICU’s reasonable belief that it has experienced a cyberattack. For example, a distributed denial of service (DDoS) attack that disrupts member account access will be reportable under this prong.
Blocked phishing attempts, failed attempts to gain access to systems, or unsuccessful malware attacks do not have to be reported.
The third prong of the reportable cyber incident definition will require a FICU to notify the agency within 72 hours after a third-party has informed a FICU that the FICU’s sensitive data or business operations have been compromised or disrupted as a result of a cyber incident experienced by the third-party or upon the FICU forming a reasonable belief this has occurred, whichever occurs sooner. A cyber incident, under the third prong would also only be reportable in the event that the third-party has a relationship with the FICU. The rule does not impose a notification requirement on a FICU for an incident occurring at any third-party that, unbeknownst and unrelated to the FICU, holds information about individuals who happen to be FICU members or employees.
A FICU will not be required to report an incident performed in good faith by an entity in response to a request by the owner or operator of the information system. An example of an incident excluded from reporting would be the contracting of a third-party to conduct a penetration test.
Looking at the timing on the third prong, it is only after a third-party has notified the FICU. A FICU would only be required to notify NCUA of a reportable cyber incident within 72 hours of being notified by a third-party, or “within 72 hours of a FICU forming a reasonable belief that it has experienced a reportable cyber incident. For example, a FICU reasonably may not be aware that a third-party has experienced a breach absent notification from the third-party. However, if a FICU experiences a disruption by losing access to its member accounts, it reasonably should be aware that its core service provider has been compromised.”
While the NCUA announced that it will provide additional reporting guidance prior to the final rule going into effect, now is the time to review your credit union’s incident response plan to identify areas that will need to be updated once further guidance is released.
Please be advised that CSG provides financial services compliance audit and consulting services to our clients. The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers. Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services. Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest. Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.