Is Your CU Ready for the New Cyber Incident Notification Rule?

Starting September 1, 2023, federally insured credit unions (FICUs) must comply with the new Cyber Incident Notification Rule recently issued by the National Credit Union Administration (NCUA) board. This rule mandates that federally insured credit unions report a qualified cyber incident to the NCUA no later than 72 hours after the incident is detected.

A cyber incident that is substantial is classified as below:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vial member services, or has a serious impact of the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

It is worth noting that failed attempts to breach systems or unsuccessful malware attacks are not reportable under this rule. For example, a DDoS attack that disrupts member account access would be reportable under this prong. It is the credit union’s responsibility to amend its contracts with vendors to include provisions for reportability and accountability.

So, what does this mean for your FICU?

You will need to ensure that you are working to amend your contracts to include language of reportability and accountability to your vendors!

The NCUA is expected to provide more information and examples of reportable incidents before September 1, 2023. It is essential for credit unions to familiarize themselves with the new rule and take necessary measures to comply with it to ensure a secure and stable cyber environment for their members.

Article by CUVM, a provider of CUNA Strategic Services, a business partner of the California and Nevada Credit Union Leagues.

The article originally appeared on the CUNA Strategic Services website.