Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
The National Credit Union Administration (NCUA) recently proposed a “Cyber Incident Notification Requirements for Federally Insured Credit Unions” rule requiring federally insured credit unions to notify the agency of a reportable cyber incident within 72 hours of believing they’ve experienced such an incident. The proposal raises some questions about what exactly a reportable incident might be. In this post we try to clarify why sharing more cybersecurity incident information is good for credit unions as a whole, what a reportable incident is, and how federally insured credit unions should begin to prepare themselves.
Organizations sharing information about cyber incidents strengthens the security posture of an entire industry. Informing the government of a threat can also help with spreading awareness, advising manufacturers of vulnerabilities, and prosecuting adversaries.
The recent Cyber Incident Reporting for Critical Infrastructure Act of 2022 inspired the NCUA board’s proposal. But that rule will not be finalized until September 2025, and the NCUA thought it imprudent to wait that long in light of the increasing frequency and security of cyber incidents. For example, the NCUA issued an advisory in March 2022 about the heightened risk of social engineering and phishing attacks. Allure Security also found that 20 percent of credit unions and regional banks experienced an online brand impersonation attack in the first quarter of 2022 alone.
Credit Unions play a critical role in the U.S. financial system. In its Quarterly Credit Union Data Summary for 2022 Q1, the NCUA reported that as of March 31, 2022, there were 4,903 federally insured credit unions serving approximately 132 million members. One reason people choose credit unions is because they are not-for-profit, member-owned organizations that return earnings to members in the form of reduced fees, higher savings rates, and lower loan rates. Customer service matters too. In a recent study of the best bank customer experience, 5,000 consumers ranked credit unions as six of the top ten best customer experiences delivered by financial institutions.
The NCUA’s proposed rule defines a cyber incident as an event that without lawful authority actually or imminently jeopardizes:
The proposal goes on to define a reportable cyber incident as a substantial cyber incident, which it defines as an incident leading to one or more of the following:
For the most part, the proposal seems to give credit unions discretion in defining a substantial incident:
“What a FICU [Federally Insured Credit Union] would consider to be substantial will likely depend on a variety of factors, including the size of the FICU, the type and impact of the loss, and its duration, for example. The agency expects a FICU to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency.”
Overall though, the proposal suggests that when in doubt, report. The proposal explains that if a credit union finds themselves unsure about whether or not an incident is reportable, the credit union should contact the NCUA.
Because Allure Security provides online brand protection-as-a-service, of course we wondered how the proposal suggests handling phishing and online brand impersonation attacks.
The proposal explicitly states that if a phishing attempt, access attempt, or malware attack is blocked, it’s not considered reportable.
The proposed rule does state that “…unauthorized access to or use of sensitive member information could trigger FICU reporting to the NCUA pursuant to the Unauthorized Access Guidance as well as reporting to the NCUA under this proposed rule. In such instances, the agency expects FICUs to use the reporting framework outlined in this proposed rule.” This suggests that a scammer tricking a member into revealing credentials, payment details or other sensitive information via a phishing site may well meet the definition of a reportable incident.
Of course the proposed rule goes far beyond addressing imposter sites, but credit unions should institute online brand protection anyway. Credit unions command more trust from their members. A recent study found that 17% more credit union members trust their institution than account-holders at other institutions. Losing that trust has big consequences. One-in-three consumers report closing a financial account due to fraud. In addition, a majority of consumers hold brands responsible for spoofed websites, even if the brand hasn’t done anything wrong.
Now is the time for credit unions to ensure they have the processes, technology and talent in place to properly identify and report cyber incidents.
A helpful activity might include taking a look at cyber incidents from the past year and asking the following questions:
The NCUA already requires federally insured credit unions to implement an incident response plan. Credit unions may want to review their plan to decide whether any processes or procedures need updating to facilitate notifying the NCUA within 72, 36 or 24 hours.
In addition, it may make sense to create a template for reporting the requested information about a reportable event to NCUA. The proposed reporting requirement does not necessitate a detailed incident report within the 72-hour window. NCUA says it will only require basic information such as:
Although, attack attribution and identifying the adversary’s tactics, techniques, and procedures strikes us as beyond the basics.
If you wish to comment on the proposal, don’t delay. Comment at https://www.regulations.gov/docket/NCUA-2022-0099/document on or before September 26, 2022. The NCUA seeks comment on such items as:
Posted by Salvatore Stolfo