Starting Sep. 1, 2023, all federally insured credit unions (FICU) must notify the National Credit Union Administration (NCUA) within 72 hours after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

Reportable Incidents

The Cyber Incident Notification Requirements (Part 748) rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information on an information system. A reportable cyber incident is any incident that leads to one or more of the following outcomes:

• A substantial loss of confidentiality, integrity or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety of operational systems and processes.
• A disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization (CUSO), cloud service provider other third-party data hosting provider or by a supply chain compromise.

A credit union’s determination of “substantial” depends on a variety of factors, including the credit union's size, the type and impact of the loss, and its duration. It is recommended you use your best judgment when deciding if the incident is reportable or not. The NUCA lays out examples of substantial incidents that would likely qualify as reportable cyber incidents to use as a reference. Also included in the appendix are examples of non-reportable incidents. If a credit union is unsure whether a cyber incident is reportable, they should contact the NCUA as soon as possible.

Notification Requirements

The rule requires a FICU to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes it has experienced a cyber incident. In addition, if a FICU receives a notification from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident, the FICU has 72 hours to report it to the NUCA. To report a cyber incident, follow the instructions found in the Cyber Incident Reporting Quick Reference Guide. You’ll want to notify NCUA through one of the following channels:

• Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail; or
• Use the National Credit Union Administration Secure Email Message Center to send a secure email to cybercu@ncua.gov.

The following information must be shared in the communication to the NCUA:

• Credit union name
• Credit union charter number
• Name and title of the individual reporting the incident
• Telephone number and email address of the individual reporting the incident
• When the credit union reasonably believed a reportable cyber incident took place
• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

Preparing Your Organization

With this new rule, credit unions should take the following steps to ensure compliance and protect themselves against cyber incidents:

• Update Response Plan – Review your organization's existing incident response plan and incorporate the reporting timeframes and procedures for notifying the NCUA. Make sure the plan includes clear guidelines for identifying reportable incidents and escalation procedures for notifying management and the NCUA.
• Review Contracts - Review contracts with all service providers to evaluate provisions for notifications of cyber incidents.
• Train Employees - Ensure all employees understand their role in identifying and reporting incidents, and provide them with necessary resources and training.
• Monitor and Review - Regularly monitor and review the cyber incident reporting process to validate its effectiveness, and adjust as necessary.
• Document All Incidents - Document all cyber incidents, including those of service providers, and maintain records in accordance with the organization’s retention policies. Documentation serves as a valuable resource for future incident response and reporting.

If you need guidance or help on any of the above steps, Doeren Mayhew’s IT Advisory and Security Group can guide you through understanding your security posture, offer solutions to keep you protected and implement strategies to combat attacks. Contact them today.