The National Credit Union Administration (NCUA) is updating cyberattack reporting rules, requiring all federally insured credit unions to report incidents within 72 hours of discovery.
The new policy, NCUA announced, comes into effect on September 1, and will cover all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems.
“Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident,” the NCUA announced.
NCUA defines reportable incidents as those leading to network or system compromise following unauthorized access to or exposure of sensitive information or to the disruption of services or operational systems.
“For example, if a federally insured credit union becomes aware that sensitive data is unlawfully accessed, modified, or destroyed, or if the integrity of a network or member information system is compromised, the cyber incident is reportable,” the NCUA explains.
Incidents involving unauthorized tampering with information systems or erroneous exposure of sensitive data are also reportable, the organization notes.
For incidents that do not trigger reporting under the new regulation, but which involve unauthorized access to user information, credit unions will continue to rely on the previous reporting framework.
Under the new regulation, cyberattacks such as distributed denial-of-service (DDoS), which may lead to the disruption of business operations, services, or systems are reportable. Failed attacks, including blocked phishing attempts, however, should not be reported.
Unexpected malfunctions leading to the disruption of member account access for substantial periods of time should also be reported.
The new regulation also requires credit unions to report data breaches and disruptions that have occurred following a cyberattack on third-party service providers, except for those incidents performed by white hat hackers.
“The overall definition of a reportable cyber incident is intended to capture the reporting of substantial cyber incidents. A credit union’s determination of ‘substantial’ depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration,” the NCUA notes.
Per the updated regulation, credit unions are required to report cyber incidents within 72 hours after forming “a reasonable belief a reportable cyber incident has taken place” or after being informed by a third-party of data compromise or disruptions following a cyberattack.
“By following these guidelines and implementing the cyber incident notification requirements, your credit union can enhance its overall cybersecurity posture and improve incident response capabilities,” the NCUA concludes.