Compliance

Federally Insured Credit Unions Required to Report Cyber Incidents Within 3 Days

The National Credit Union Administration is requiring all federally insured credit unions to report cyber incidents within 72 hours of discovery.

The National Credit Union Administration is requiring all federally insured credit unions to report cyber incidents within 72 hours of discovery.

The National Credit Union Administration (NCUA) is updating cyberattack reporting rules, requiring all federally insured credit unions to report incidents within 72 hours of discovery.

The new policy, NCUA announced, comes into effect on September 1, and will cover all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems.

“Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident,” the NCUA announced.

NCUA defines reportable incidents as those leading to network or system compromise following unauthorized access to or exposure of sensitive information or to the disruption of services or operational systems.

“For example, if a federally insured credit union becomes aware that sensitive data is unlawfully accessed, modified, or destroyed, or if the integrity of a network or member information system is compromised, the cyber incident is reportable,” the NCUA explains.

Incidents involving unauthorized tampering with information systems or erroneous exposure of sensitive data are also reportable, the organization notes.

For incidents that do not trigger reporting under the new regulation, but which involve unauthorized access to user information, credit unions will continue to rely on the previous reporting framework.

Under the new regulation, cyberattacks such as distributed denial-of-service (DDoS), which may lead to the disruption of business operations, services, or systems are reportable. Failed attacks, including blocked phishing attempts, however, should not be reported.

Advertisement. Scroll to continue reading.

Unexpected malfunctions leading to the disruption of member account access for substantial periods of time should also be reported.

The new regulation also requires credit unions to report data breaches and disruptions that have occurred following a cyberattack on third-party service providers, except for those incidents performed by white hat hackers.

“The overall definition of a reportable cyber incident is intended to capture the reporting of substantial cyber incidents. A credit union’s determination of ‘substantial’ depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration,” the NCUA notes.

Per the updated regulation, credit unions are required to report cyber incidents within 72 hours after forming “a reasonable belief a reportable cyber incident has taken place” or after being informed by a third-party of data compromise or disruptions following a cyberattack.

“By following these guidelines and implementing the cyber incident notification requirements, your credit union can enhance its overall cybersecurity posture and improve incident response capabilities,” the NCUA concludes.

Related: UK Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government

Related: FCC Proposes Tighter Data Breach Reporting Rules for Wireless Carriers

Related: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting Mandate

Related Content

Data Breaches

Zscaler has completed its investigation into the recent hacking claims and found that only an isolated test environment was compromised.

Data Breaches

Europol is investigating a data breach, but says no core systems are impacted and no operational data has been compromised.

Data Breaches

Financial Business and Consumer Solutions (FBCS) says the personal information of 2.7 million was impacted in the recent data breach.

Data Breaches

The Ohio Lottery cyberattack conducted by the DragonForce ransomware group has impacted more than 500,000 individuals.

Cybercrime

Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access.

Ransomware

Philadelphia-based real estate company Brandywine Realty Trust shuts down systems following a ransomware attack.

Data Breaches

University System of Georgia says Social Security numbers and bank account numbers were compromised in the May 2023 MOVEit hack.

Government

The White House has published a national security memorandum focusing on critical infrastructure security and resilience.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version