Compliance Blog

I attended NAFCU’s Risk Management Seminar this past week where one of the topics discussed was cyber security risk. With that in mind, September 1^st is right around the corner and with that a major NCUA cyber security rule becomes effective.

The NCUA’s Cyber Incident Notification rule requires federally-insured credit unions to either notify NCUA as soon as possible or no later than 72 hours once the credit union reasonably believes it has experienced a reportable cyber incident or a third party has notified the credit union of an incident. NAFCU’s compliance team wrote a helpful compliance blog on the Cyber Incident Notification rule that reviews what is considered a “reportable cyber incident.”

NCUA recently released its Letter to Credit Unions 23-CU-07 (NCUA Letter) to complement the final rule and to color in some of the requirements. One interesting point I found reading the final rule and the additional Letter to Credit Unions is what happens if the cyber incident is self-inflicted. Of course, most cyber incidents are the result of external bad actors attacking a credit union’s networks resulting in the exposure of sensitive data and disruption to member services. However, accidents do happen, and mistakes are made that can result in the same type of consequences that occur when a credit union’s cyber networks are attacked. So, what does a credit union do in that situation?

Generally, a federally-insured credit union is required to file a report if there is “any substantial cyber incident.”

The final rule maintains that an internal upgrade or internal issue that causes widespread repercussions for the members and exposure of sensitive data is still considered a substantial cyber incident even if malicious intent does not exist. The final rule also suggests that reporting is based on how widespread the effects of an outage are more than the cause of the outage, saying: “By using the term substantial, the Board seeks to convey an expectation that the agency will be notified of cyber incidents that are extensive or significant to the FICU or its members (or both), rather than minor or inconsequential.” The recent NCUA Letter provides measuring the substantiality of a cyber incident may “depend[] on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration.” In other words, a credit union may have to make a risk-based decision in determining whether to report an incident.

The NCUA Letter also offered clarity on the notification framework, including the reporting timeframe, how to report, and what information to report. A credit union is required to report an incident to the NCUA within 72 hours. The NCUA Letter provides the “timeframe starts from the moment the credit union receives the notification from the third party or when the credit union forms a reasonable belief that such an incident has occurred, whichever is sooner.”

A federally-insured credit union may report this to cybercu@ncua.gov or NCUA may be reached at 1-833-292-3728. In its communication to NCUA, a federally-insured credit union is required to provide the following information:

NCUA’s letter also offers additional guidance in how a credit union may implement the rule. If there are any questions about the information in this blog, please do not hesitate to contact NAFCU’s compliance team at compliance@nafcu.org.

☀️ Summer Flash Sale on two popular On-Demand conferences! ☀️ 

Unprecedented offer! Save $200.00 on BSA School On-Demand and Risk Management Seminar On-Demand when you’re one of the first 20 people to use the codes BSAONDEMAND and RISKONDEMAND!