Beginning Friday, September 1, 2023, the NCUA’s new Cyber Incident Notification Requirements Rule goes into effect. All federally insured credit unions will need to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
The Rule amends 12 CFR 748, now titled, Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts, Cyber Incidents, and Bank Secrecy Act Compliance. Credit Unions should review their policies and procedures for updates.
The NCUA recommends, among other steps, to update the credit union’s response plan:
Update Response Plan
Review the existing incident response plan and update it to align with the new rule. This includes incorporating the reporting requirement timeframes and procedures for notifying the NCUA. Ensure the plan includes clear guidelines for identifying reportable incidents and escalation procedures for notifying management and the NCUA.
Review contracts with critical service providers to determine if there are provisions requiring timely notification of cyber incidents.
Provide training to all employees, emphasizing the importance of reporting cyber incidents and the potential consequences of noncompliance. Ensure that employees understand their role in identifying and reporting incidents and provide them with necessary resources and guidance.
Monitor and Review
Regularly monitor and review the cyber incident reporting process to validate its effectiveness. Conduct periodic tests and exercises to evaluate the efficiency of the incident response plan and reporting procedures. Use lessons learned from these exercises to make improvements and update the plan.
Document All Incidents
Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain records in accordance with the organization’s retention policies. This documentation is essential and serves as a valuable resource for future incident response and reporting efforts. Documentation also provides an audit trail to support management’s reporting decisions.
The NCUA has also provided:
§ 748.1 Filing of reports.
* * * * *
(c) Cyber incident report. Each federally insured credit union must notify the appropriate NCUA-designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA must receive this notification as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or, if reporting pursuant to paragraph (c)(1)(i)(C) of this section, within 72 hours of being notified by a third-party, whichever is sooner.
(1) Reportable cyber incident. (i) A reportable cyber incident is any substantial cyber incident that leads to one or more of the following:
(A) A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.
(B) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
(C) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.
(ii) A reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.
(2) Definitions. For purposes of this part:
Compromise means the unauthorized disclosure, modification, substitution, or use of sensitive data or the unauthorized modification of a security-related system, device, or process in order to gain unauthorized access.
Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Cyber incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.
Cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Disruption means an unplanned event that causes an information system to be inoperable for a length of time.
Integrity means guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
Sensitive data means any information which by itself, or in combination with other information, could be used to cause harm to a credit union or credit union member and any information concerning a person or their account which is not public information, including any non-public personally identifiable information.
Please be advised that CSG provides financial services compliance audit and consulting services to our clients. The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers. Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services. Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest. Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.