REGular Blog: New Guidance for Credit Unions on the Cyber Incident Rule

On Monday, the NCUA released Letter to Credit Unions 23-CU-07, titled Cyber Incident Notification Requirements. The letter provides guidance to credit unions on how to comply with the requirement that NCUA be notified within 72 hours when a credit union experiences a reportable cyber incident. The new requirement goes into effect on September 1, so credit unions should be reviewing this guidance and the rule as they update their procedures.

The letter also contains two attachments - a Cyber Incident Reporting Quick Reference Guide and instructions on using the NCUA's Secure Email Message Center, which you may already be familiar with if you've had email communications with your NCUA examiners.

What makes an event reportable?

In the letter, the NCUA notes that the Rule's definition of a cyber incident is "an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system."

An incident can also be reportable if it is substantial and leads to certain outcomes:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes;
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

For each of these outcomes, the guidance in the letter gives examples of what types of incidents might be reportable or not reportable. For example, for a disruption of business operations resulting from a cyberattack, a DDoS attack that disrupts member account access would be a reportable event, while blocked phishing attempts or unsuccessful malware attacks would not be considered reportable events.

When do we have to report?

The Rule requires a credit union to report an incident to NCUA "as soon as possible and no later than 72 hours after the credit union reasonably believes that it experienced a reportable cyber incident."

So the clock starts when the credit union forms that reasonable belief. In the event that a third party notifies the credit union of an incident, the clock would start either when that notification is received or when the CU forms a reasonable belief an incident has occurred, whichever is sooner.

It's worth noting that the NCUA considered a 36-hour reporting requirement, which is similar to that of the banking regulators, but ultimately opted for 72 hours. Part of their reasoning in that decision was to make it clear that credit unions' first priority should be addressing the incident and using their incident response plan, not notifying the NCUA.

How and what do we report?

The notification to NCUA can either be a phone call or a secure email. The phone number is 1.833.CYBERCU (1.833.292.3728), and the email is cybercu@ncua.gov.

The letter also lays out the pieces of information that should be reported. These items include:

• Credit union name;
• Credit union charter number;
• Name and title of the individual reporting the incident;
• Telephone number and email address;
• When the credit union reasonably believed a reportable cyber incident took place; and
• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

The letter also notes there are items that should not be sent in the initial notification, including:

• Sensitive personally identifiable information;
• Indicators of compromise;
• Specific vulnerabilities; or
• Email attachments.

What should our CU do now?

The letter includes implementation guidelines with steps a credit union can take when implementing the new rule. These steps include:

• Update your response plan to align it with the Rule
• Review vendor contracts for cyber incident notification requirements
• Train employees, emphasizing the importance of timely reporting
• Monitor and review the cyber incident reporting process
• Document all incidents - both reportable and non-reportable

Where can I find more resources?

• The Letter to Credit Unions with the guidance can be found here,
• Attached to that letter is the Quick Reference Guide.
• The Final Rule can be found here.