Beginning September 1, 2023, federally-insured credit unions (FICUs) are required to report certain cybersecurity incidents to the NCUA. The new reporting requirements can be found in Section 748.1(c) of the NCUA regulations. FICU staff should become familiar with the new regulation and its definitions which are critical to a full understanding of the reporting requirements. An in-depth review of these definitions is beyond the scope of this article.
The NCUA website contains a Cyber Incident Reporting Quick Reference Guide with contact information and a summary of the reporting requirements.
There are three types of “reportable cyber incidents.” For all types, the cyber incident must be “substantial.” “Substantial” is not defined in the regulation, but FICUs should notify NCUA if the cyber incident is extensive or significant to the credit union or its members (or both). What is extensive or significant to a particular credit union may depend on its size, the type and impact of the loss, and the duration of the cyber incident.
This type of reportable cyber incident occurs when there is a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes. A general example would be where the integrity of the credit union’s systems is compromised, or if there has been an unlawful modification of the credit union’s systems, or a substantial level of sensitive data is unlawfully left exposed to an authorized person, or unlawfully accessed or modified.
This type of reportable cyber incident occurs when there is “a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.” A general example would be where members cannot access their accounts through online banking services due to a hacking incident regardless of whether sensitive data has been compromised or accessed.
This type of reportable cyber incident occurs when there is a “disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.” The credit union must adhere to the 72-hour reporting requirement (i.e., within 72 hours of the credit union’s reasonable belief that a reportable cyber incident has occurred or the third-party’s notice to the credit union, whichever is earlier) even if the third-party has not completed its investigation.
In all cases, a loss of, or unauthorized access to, sensitive data is not required and there does not need to be an intent to cause a cyber incident.
Cyber incident events that occur because of good faith actions taken pursuant to the credit union’s request (such as a successful software update or planned system outage for penetration testing) are not reportable. Unsuccessful malware attacks and blocked phishing attempts are not reportable.
Minor or inconsequential cyber incidents do not need to be reported.
However, if a credit union is unsure whether to report a cyber incident, it should report it.
NCUA plans to add examples of reportable cyber incidents to the regulation but as of this writing, they have not been added. Some examples of reportable cyber incidents that were included in the proposed rule are listed below:
Article by Janet Jones, Attorney with Moore, Brewer & Wolfe.
