NCUA Board Approves Cyber Incident Reporting Requirement for Credit Unions

On
February
16,
2023,
the
National
Credit
Union
Administration
(“NCUA”)
Board
unanimously
approved
a

final
rule
requiring
federally
insured
credit
unions
(“FICUs”)
to
notify
the
NCUA
as
soon
as
possible,
within
72
hours,
after
an
FCIU
“reasonably
believes”
that
a
reportable
cyber
incident
has
occurred.

The
final
rule,
effective
September
1,
2023,
defines
a
“cyber
incident”
as
“an
occurrence
that
actually
or
imminently
jeopardizes,
without
lawful
authority,
the
integrity,
confidentiality,
or
availability
of
information
on
an
information
system,
or
actually
or
imminently
jeopardizes,
without
lawful
authority,
an
information
system.”
A
“reportable
cyber
incident,”
however,
includes
any
substantial
cyber
incident
that
leads
to
(1)
a
substantial
loss
of
confidentiality,
integrity
or
availability
of
a
network
or
member
information
system
that
results
from
the
unauthorized
access
to
or
exposure
of
sensitive
data,
disrupts
vital
member
services
or
has
a
serious
impact
on
the
safety
and
resiliency
of
operational
systems
and
processes;
(2)
a
disruption
of
business
operations,
vital
member
services
or
a
member
information
system
resulting
from
a
cyberattack
or
exploitation
of
vulnerabilities;
or
(3)
a
disruption
of
business
operations
or
unauthorized
access
to
sensitive
data
facilitated
through,
or
caused
by,
a
compromise
of
a
credit
union
service
organization,
cloud
service
provider
or
other
third-party
data
hosting
provider
or
by
a
supply
chain
compromise.

In
its

Board
Action
Bulletin,
the
NCUA
Board
indicated
that
the
72-hour
notification
requirement
provides
an
early
alert
to
the
NCUA,
but
does
not
require
FICUs
to
provide
a
full
incident
assessment
to
the
NCUA
within
the
72-hour
timeframe.
Board
Chairman
Todd
M.
Harper
stated
that
that
the
final
rule
“will
also
align
the
NCUA’s
reporting
requirements
with
those
of
the
federal
banking
agencies
and
the
Cyber
Incident
Reporting
for
Critical
Infrastructure
Act
[CIRCIA].”
In
particular,
the
final
rule
incorporates
CIRCIA’s
72-hour
reporting
requirement
and
the
federal
banking
agencies’
focus
on
operational
disruption.
The
Board
also
announced
that
the
NCUA
would
provide
additional
reporting
guidance
prior
to
the
final
rule
going
into
effect.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts