NCUA Follows Banking Regulators, Proposes Cyber Incident Notification Rule
Last fall, major federal banking regulators issued a final rule that imposed new cyber incident notification requirements on banks. While that rule does not apply to credit unions, cyber incident reporting requirements for credit unions are now on the horizon. Last week the National Credit Union Administration (NCUA) issued their own proposed rule on this topic.
Current Requirements
The NCUA proposal is only in its initial stages and is not a concrete requirement for credit unions – yet. Until the NCUA proposal makes its way through the rulemaking process and becomes an official regulation, the current cyber incident reporting requirements will continue to apply. At the moment, Appendix B of part 748 of the NCUA regulations states that federally-insured credit unions (FICUs) should have an incident response plan which should include notifying the FICU’s NCUA regional office as soon as possible when the FICU “becomes aware” of an incident involving unauthorized access to or use of sensitive member information, and notifying members “when warranted.” Additionally, FICUs must file a catastrophic act report if a disaster (natural or otherwise – which could include cyber incidents) causes interruption to the FICU’s vital member services which is projected to last more than two consecutive business days.
The New Proposal – Cyber Incidents
Under the new proposal, a FICU would be required to report any “reportable cyber incident” as soon as possible, but no later than 72 hours after the FICU reasonably believes that a reportable cyber incident has occurred. The proposal defines both “cyber incident” and “reportable cyber incident” – thus, to determine if reporting is required, a credit union would first look at whether the incident in question fits the definition of “cyber incident.” If so, then the credit union would consider whether the cyber incident rises to the level of being a “reportable” cyber incident.
The proposal defines a “cyber incident” to mean “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”
In addition to that definition, a cyber incident will rise to the level of being a reportable cyber incident when it meets the following definition:
“Any substantial cyber incident that leads to one or more of the following:
- A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
- A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”
The rule actually gives credit unions some level of discretion in determining when reporting is needed. The definition of “reportable cyber incident” begins by stating that such an incident must be a “substantial” cyber incident – yet “substantial” is not defined. Instead, the proposed rule’s preamble notes that “[w]hat a FICU would consider to be substantial will likely depend on a variety of factors, including the size of the FICU, the type and impact of the loss, and its duration, for example. The agency expects a FICU to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency.” The preamble goes on to note that when a FICU is unsure about whether an incident is “substantial,” it is encouraged to contact NCUA.
The preamble to the proposed rule provides a paragraph describing each “prong” of the definition of reportable cyber incident. Notably, the final “prong” states that a compromise of a credit union’s CUSO could result in a reportable cyber incident. The preamble notes that major CUSOs provide services to “credit unions that hold approximately 95 percent of total credit union system assets,” and therefore “[s]ignificant problems or a failure with a critical vendor or CUSO has the potential to result in disruption, including losses, to many credit unions and, in turn, pose risk to the National Credit Union Share Insurance Fund (NCUSIF) and national economic security…”
Additionally, the preamble provides the following non-exhaustive list of incidents that would be “reportable cyber incidents”:
- A computer hacking incident that disables a FICU’s operations.
- A ransom malware attack that encrypts a core banking system or backup data.
- Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information (PII).
- A detected, unauthorized intrusion into a network information system.
- Discovery or identification of zero-day malware in a network or information system.
- Internal breach or data theft by an insider.
- A systems compromise resulting from card skimming.
- Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account
Notably, the definition of a “reportable cyber incident” excludes “any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operator of the information system.” This exclusion appears to cover situations in which the access to the system was authorized by the credit union, such when a credit union requests penetration testing or other instances in which the FICU requests for a third party to access its system and information.
Reporting
The preamble notes that NCUA will only require a report to contain “basic information,” such as:
- A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been, affected.
- The estimated date range during which the reportable cyber incident took place.
- Where applicable, a description of the exploited vulnerabilities and the techniques used to perpetrate the reportable cyber incident.
- Any identifying or contact information of the actor(s) reasonably believed to be responsible.
- The impact to the FICU’s operations.
As for the reporting deadline, the proposed rule proposes a 72-hour deadline from when the CU determines it has experienced a reportable cyber incident. However, the preamble notes that NCUA may consider a shorter timeframe – such as 36 hours, which is the timeframe applicable to banks under the banking regulators’ rule – depending on the feedback they receive.
In addition to reporting to NCUA under these new proposed requirements, the rule states that reporting to other agencies may be appropriate as well. The preamble states: “A FICU experiencing a cyber incident is encouraged to contact relevant law enforcement or security agencies, as appropriate, after the incident occurs.” Certain cyber incidents may require the filing of a Suspicious Activity Report, as discussed in this 2016 FinCEN advisory.
The proposed rule requests comments on various aspects of the rule, and provides a comment deadline of 60 days after publication in the federal register. NAFCU will continue to monitor this rulemaking and keep credit unions informed through Regulatory Alerts and future publications.
About the Author
Nick St. John, NCCO, NCBSO, Director of Regulatory Compliance, NAFCU
Nick St. John, was named Director of Regulatory Compliance in August 2022. In this role, Nick helps credit unions with a variety of compliance issues.