Articles

Client Alert: Is Your Credit Union Ready to Comply with Updated NCUA Cyber Incident Notification Requirements?

Date: August 23, 2023
Under final regulations updated on March 1, 2023 and effective as of September 1, 2023, the National Credit Union Administration (“NCUA”) imposed stringent new cyber incident reporting requirements on federally chartered corporate credit unions and federally insured, state-chartered corporate credit unions (“FICUs”). FICUs that experience a cyber incident that rises to the level of a “reportable cyber incident” must now notify the NCUA (a) as soon as possible; and (b) no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
 
Reportable Incidents
 
A “reportable cyber incident” is defined in this context as a “substantial” cyber incident that leads to any of the following:
  1. a substantial loss of confidentiality, integrity, or availability of a network or member information system that (a) results from unauthorized access to or exposure of sensitive data, (b) disrupts vital member services, or (c) has a serious impact on the safety and resiliency of operational systems and processes;
  1. a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
  1. a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.
The overall definition of a “reportable” cyber incident is intended to capture “substantial” cyber incidents. An FICU’s determination of “substantial” will depend on a variety of factors, including the credit union’s size, the type and impact of the loss, and its duration.  
 
To aid in an FICU’s assessment of whether an incident is reportable, the new regulations define various key terms, including the terms “compromise,” “confidentiality,” “disruption,” “integrity,” “sensitive data”, and “vital member services.”  The NCUA has also provided a handful of examples of substantial incidents that would likely qualify as reportable cyber incidents, as well as examples of incidents that in NCUA’s opinion would be non-reportable
 
Implementation Guidelines and Next Steps
 
Under this new rule, FICUs should take the following steps to ensure compliance and protect themselves against cyber incidents:
 
Update Response Plan
Review the existing incident response plan and update it to align with the new rule. This includes incorporating the reporting requirement timeframes and procedures for notifying the NCUA.  Ensure the plan includes clear guidelines for identifying reportable incidents and escalation procedures for notifying appropriate members of the management and the NCUA.
 
Review Contracts
Review contracts with critical service providers to determine if there are provisions requiring timely notification of cyber incidents.
 
Train Employees
Provide training to all employees, emphasizing the importance of reporting cyber incidents and the potential consequences of noncompliance. Ensure that employees understand their role in identifying and reporting incidents and provide them with necessary resources and guidance.
 
Monitor and Review
Regularly monitor and review the cyber incident reporting process to validate its effectiveness. Conduct periodic tests and exercises to evaluate the efficiency of the incident response plan and reporting procedures. Use lessons learned from these exercises to make improvements and update the plan.
 
Document All Incidents
Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain records in accordance with your organization’s retention policies. This documentation is essential and serves as a valuable resource for future incident response and reporting efforts. Documentation also provides an audit trail to support management’s reporting decisions.
 
Keep an Eye on Other Reporting Requirements
 
Given the proliferation of laws and regulations that require an FICU to investigate and potentially report a privacy or data security incident, FICUs must take care to weigh up their cyber reporting obligations under a host of state, federal and even international laws potentially applicable to any given incident. By way of example, for each cyber incident, a FICU must gather applicable facts and consider whether the incident (a) requires notice to affected members, regulators and/or credit reporting agencies under the laws of applicable states which have not provided a full or partial exemption to FICUs that otherwise comply with NCUA reporting requirements, (b) constitutes a “catastrophic act” reportable under NCUA's Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance regulations, (c) involves insider abuse or one or more suspicious transactions potentially reportable as a Suspicious Activity Report to NCUA, law enforcement and the FICU’s board of directors, or (d) is otherwise reportable to a third party.
 
In particular, FICUs must now also stay abreast of pending rulemaking (expected in March 2024) by the Cybersecurity and Infrastructure Security Agency (“CISA”) under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  CIRCIA requires certain entities involved in critical infrastructure (likely to include FICUs) to: (a) report “covered cyber incidents” within 72 hours of when the “covered entity” “reasonably believes” the incident has occurred; (b) provide supplemental reports if “substantial new or different information becomes available”; and (c) report a payment as a result of a ransomware attack within 24 hours of payment being made. The deadlines and criteria for submitting these supplemental reports and the procedures for preserving data will be established during the rulemaking process. Notably, the NCUA Board has indicated that, once the CIRCIA rules are finalized, the Board intends for NCUA to coordinate with CISA on cyber incident reporting under the NCUA early notice rules to avoid duplicate reporting to both the NCUA and CISA.
 
*          *          *
If you need guidance or help with a privacy or security incident, or any of the recommended compliance steps under this new NCUA rule, please contact a member of Whiteford’s Cyber Security, Data Management & Privacy practice group.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.