NCUA recently finalized a regulation that requires federally insured credit unions (FICU) to report a cyber incident to the agency no later than 72 hours after the FICU reasonably believes it has experienced a reportable cyber incident. The rule takes effect September 1, 2023, and is included in Part 748 of the NCUA Rules and Regulations.
The definitions in the regulation provide the keys to understanding when a reportable cyber incident occurred. A reportable cyber incident is any substantial cyber incident that leads to:
- A substantial loss of confidentiality, integrity or availability of a network or member information system resulting from unauthorize access to or exposure of sensitive data or has a serious impact on the safety and resiliency of operational systems and processes.
- A disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
- A disruption of business operations or unauthorized access to sensitive data caused by a compromise of a credit union service organization, cloud service provider, third-party data hosting provider or by a supply chain compromise.
As you can see a lot of factors play a role in deciding when to notify NCUA of a cyber incident. In short, a credit union will be making a judgment call regarding its reasonable belief whether a cyber incident occurred that requires reporting to NCUA within the 72-hour window. The final rule explains that NCUA will be providing guidance through the supervisory process regarding compliance.
The notice requirement is meant to give NCUA an early alert to an incident. NCUA does not require a detailed assessment within the 72-hour time frame.
In order to prepare for the effective date of the rule credit unions should examine their policies and corresponding risk assessments for incident response, business continuity/disaster recovery plans, the cybersecurity policy, and the information security policy.