Credit Union News

The Latest Industry News Coverage

Lap top security risk illustration.

New Cyber Incident Reporting Requirements for FICUs

Beginning September 1, 2023, federally-insured credit unions (FICUs) are required to report certain cybersecurity incidents to the NCUA.  The new reporting requirements can be found in Section 748.1(c) of the NCUA regulations.  FICU staff should become familiar with the new regulation and its definitions which are critical to a full understanding of the reporting requirements.  An in-depth review of these definitions is beyond the scope of this article.

Summary of notice requirements
  1. Notify the appropriate NCUA-designated contact of a reportable cyber incident.
  2. Notice can be by email, telephone, or other similar methods as NCUA may prescribe.
  3. Notice must be received by NCUA as soon as possible but no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident.

The NCUA website contains a Cyber Incident Reporting Quick Reference Guide with contact information and a summary of the reporting requirements.

Types of Reportable Cyber Incidents

There are three types of “reportable cyber incidents.”  For all types, the cyber incident must be “substantial.” “Substantial” is not defined in the regulation, but FICUs should notify NCUA if the cyber incident is extensive or significant to the credit union or its members (or both).  What is extensive or significant to a particular credit union may depend on its size, the type and impact of the loss, and the duration of the cyber incident.

Substantial Loss Cyber Incident

This type of reportable cyber incident occurs when there is a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.  A general example would be where the integrity of the credit union’s systems is compromised, or if there has been an unlawful modification of the credit union’s systems, or a substantial level of sensitive data is unlawfully left exposed to an authorized person, or unlawfully accessed or modified.

Business Disruption Cyber Incident

This type of reportable cyber incident occurs when there is “a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.”  A general example would be where members cannot access their accounts through online banking services due to a hacking incident regardless of whether sensitive data has been compromised or accessed.

Third Party Cyber Incident

This type of reportable cyber incident occurs when there is a “disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”   The credit union must adhere to the 72-hour reporting requirement (i.e., within 72 hours of the credit union’s reasonable belief that a reportable cyber incident has occurred or the third-party’s notice to the credit union, whichever is earlier) even if the third-party has not completed its investigation.

In all cases, a loss of, or unauthorized access to, sensitive data is not required and there does not need to be an intent to cause a cyber incident.

Cyber Incidents that are not Reportable

Cyber incident events that occur because of good faith actions taken pursuant to the credit union’s request (such as a successful software update or planned system outage for penetration testing) are not reportable.  Unsuccessful malware attacks and blocked phishing attempts are not reportable.

Minor or inconsequential cyber incidents do not need to be reported.

However, if a credit union is unsure whether to report a cyber incident, it should report it.

Examples of Reportable Cyber Incidents

NCUA plans to add examples of reportable cyber incidents to the regulation but as of this writing, they have not been added.  Some examples of reportable cyber incidents that were included in the proposed rule are listed below:

  1. A computer hacking incident that disables a FICU’s operations.
  2. A ransom malware attack that encrypts a core banking system or backup data.
  3. Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information.
  4. A detected, unauthorized intrusion into a network information system.
  5. Discovery or identification of zero-day malware in a network or information system.
  6. Internal breach or data theft by an insider.
  7. Member information compromised due to card skimming at a credit union’s ATM.
  8. Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.

Article by Janet Jones, Attorney with Moore, Brewer & Wolfe.


Related News

Become an Industry Supporter

Get membership information

Please contact me about compliance

Contact me about Credit Union Solutions

Education & Professional Development