The Changes

Starting September 1, 2023, the NCUA made a change to their Cyber Incident Notification Requirements rule (Part 748). When a cyber incident rises to the level of a “reportable cyber incident,” all federally insured credit unions must notify the NCUA as soon as possible, no later than 72 hours. This includes reportable cyber incidents from the credit union’s third-party vendors.

This change is in line with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) which was enacted in 2022. The Cybersecurity and Infrastructure Agency (CISA) has until 2025 to publish their final rule implementing the requirements, and the NCUA intends to align their requirements with this rule. The NCUA Board will continue to coordinate with CISA on future credit union cyber incident reporting to avoid any duplicate reporting requirements.

The NCUA has defined a reportable cyber incident as “any substantial cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”

This excludes any event where the cyber incident was performed in good faith at the request of the owner/operator of the information system – things like your annual penetration testing or phishing simulation.

So, what does this mean for your credit union?

If your credit union determines that a cyber incident has occurred, the first thing to do is determine if it is reportable.

Reportable:

  • Exposure of sensitive member information
  • Successful malware/ransomware attack
  • Disruption to business operations or member services
  • Compromise or sensitive data exposure of a third party vendor

Not Reportable:

  • Blocked phishing attempt
  • Unsuccessful malware attack
  • Authorized/requested incidents, like third-party penetration testing
  • Scheduled maintenance or system updates that require systems to be temporarily unavailable

If your credit union is ever unsure of whether an incident should be reported, it’s best to err on the side of caution and notify the NCUA as soon as possible.

Reporting Incidents

There are two ways to report a cyber incident at your credit union:

  1. Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail
  2. Use the NCUA’s Secure Email Message Center to send a secure email to cybercu@ncua.gov

What does the NCUA need to know? Be prepared to include the following information in your voicemail or secure email.

DO SEND

  • Credit union name & charter name
  • Name and title of individual reporting the incident
  • Phone number & email address
  • When the credit union reasonably believed a reportable incident took place
  • Brief description of the reportable incident

DON’T SEND

  • Sensitive personally identifiable information
  • Indicators of compromise
  • Specific vulnerabilities
  • Email attachments

If the NCUA requires additional information, they will follow up with your credit union directly.

Implementation: Be Prepared

There are a few things that your credit union can do to prepare for a potential cyber incident.

Update Response Plans

    Make sure your incident response plan includes actions to satisfy these new reporting requirements. Assign NCUA incident reporting to a specific person or people, including any necessary escalation procedures from employees, vendors, etc. When updating your plan, remember that reporting must occur as soon as possible, within the 72-hour window.

    Review Contracts

      This is the perfect opportunity to review your third-party vendor contracts, especially those for your critical service providers. Do the contracts include timely notification of cyber incidents?

      Train Employees

        Make sure your employees understand the importance of cyber incident reporting, and their role in avoiding the potential consequences. Any employee could be the start of a cyber incident, and proper escalation can make or break how it can be handled.

        Monitor & Review

          Regularly review your internal processes for cyber reporting using tabletop exercises, which are already being mandated through the NCUA’s new Information Security Examination (ISE) requirements. By adding NCUA reporting to your incident response plan, it can be included in these types of exercises to evaluate effectiveness and make improvements.

          Documentation

            Regardless of whether it needs to be reported, credit unions should document all cyber incidents. By maintaining these records, your credit union can help respond to similar incidents in the future, as well as provide an audit trail to support additional cybersecurity investments.

            Conclusion

            Credit unions need to be prepared for the NCUA’s update to its Cyber Incident Notification Requirements. The new requirements started on September 1, 2023, to get ahead of CISA’s Cyber Incident Reporting for Critical Infrastructure Act that was enacted last year. For more information, check out the NCUA’s Cyber Incident Notification Requirements Letter to Credit Unions.