Compliance Blog

Feb 22, 2023

NCUA Issues Final Rule on Cyber Incident Notification

On February 16, 2023 the NCUA issued its final rule on cyber incident notification requirements for federally insured credit unions.  Compliance teams may not be feeling the pinch, but IT teams might need a hug, depending on who ultimately has responsibility for providing the notice.

Two photos of a child and an adult on a park bench.  Text on top photo of the child's face says "I work in Cybersecurity."  Bottom photo shows adult hugging child.

The new rule, which was approved unanimously, basically “requires a federally insured credit union to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred.”  The rule amends Part 748 of NCUA’s regulations and will become effective on September 1, 2023.

The rule adds a few new definitions, including “cyber incident” and “reportable cyber incident,” among others:

Cyber incident is defined as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”

Reportable cyber incident is defined as “any substantial cyber incident that leads to one of more of the following: a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes; a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; and/or a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”

The preamble to the rule explains that “as stated in the proposed rule, this notification requirement is intended to serve as an early alert to the agency and is not intended to include a lengthy assessment of the incident.”  The final rule thus requires federally insured credit unions to provide notification to NCUA “as soon as possible but no later than 72 hours after the FICU reasonably believes that a reportable cyber incident has occurred.”  This timeline differs from the 36-hour timeframe that the Federal banking agencies have implemented.  NCUA believes that this early notification may be beneficial to FICUs, since the agency may use the early notification to provide guidance for the FICU’s response.

While the rule does not include specific reporting guidance, it does allow cyber incidents to be reported to the “appropriate NCUA-designated point of contact. . . via email, telephone, or other similar methods that the NCUA may prescribe.”  The agency notes that it will provide more detailed reporting guidance before the rule takes effect in September.

Concerns from commenters about confidentiality of the information provided to NCUA in the notification were addressed by the agency, which stated that “reporting under this rule will be subject to Part 792 of the NCUA’s rules and exempt from FOIA requests under FOIA exemptions 4 and 8, and potentially exemptions 6 and 7(c).”

Various comments about the third-party compromise were addressed, with NCUA clarifying that the rule “does not impact existing contractual relationships.”  The agency went on, stating that “while the proposed rule asked FICUs to share how third parties provide notice to FICUs in the event of a cyber incident, there is no requirement in the proposed or final rules that FICUs amend existing contracts to comply with this rule.”  To that end, a FICU would only be required to notify NCUA of a reportable cyber incident within 72 hours of being notified by a third-party, or “within 72 hours of a FICU forming a reasonable belief that it has experienced a reportable cyber incident.  For example, a FICU reasonably may not be aware that a third-party has experienced a breach absent notification from the third-party.  However, if a FICU experiences a disruption by losing access to its member accounts, it reasonably should be aware that its core service provider has been compromised.”  (Emphasis in original.)

Other concerns regarding Part 748 and its appendices were addressed in the preamble, but NCUA declined to amend other (existing) sections of Part 748 and its Appendix B, at this time.  However, NCUA notes that “Appendix B provides guidance on FICUs’ obligations under §748.0 and applicable statutes and, thus, does not supersede this rule.  If a FICU experiences a reportable cyber incident, that incident shall be reported under the requirements of this rule.”  NCUA does, however, amend Appendix B to include the cyber incident notification requirements.

You can review the full text of the final rule here, and NAFCU will continue to keep our members and readers informed when NCUA issues further guidance on the rule prior to the effective date.

ENDS NEXT WEEK! $300.00 savings on Online Compliance Training Subscriptions: For just one price, your entire credit union receives access to over 40 hot-topic compliance webinars per year, so your team can master challenges like BSA, data security, risk management, loss prevention, and more. Subscribe now and use code NEWYEAR by February 28 to save.