New NCUA Cyber Incident Reporting Rule: Is Your Credit Union Ready?

The National Credit Union Administration (NCUA) recently proposed a “Cyber Incident Notification Requirements for Federally Insured Credit Unions” rule requiring federally insured credit unions to notify the agency of a reportable cyber incident within 72 hours of believing they’ve experienced such an incident. The proposal raises some questions about what exactly a reportable incident might be. In this post we try to clarify why sharing more cybersecurity incident information is good for credit unions as a whole, what a reportable incident is, and how federally insured credit unions should begin to prepare themselves.

The Benefits of Sharing Cyber Incident Information

Organizations sharing information about cyber incidents strengthens the security posture of an entire industry. Informing the government of a threat can also help with spreading awareness, advising manufacturers of vulnerabilities, and prosecuting adversaries.

The recent Cyber Incident Reporting for Critical Infrastructure Act of 2022 inspired the NCUA board’s proposal. But that rule will not be finalized until September 2025, and the NCUA thought it imprudent to wait that long in light of the increasing frequency and security of cyber incidents. For example, the NCUA issued an advisory in March 2022 about the heightened risk of social engineering and phishing attacks. Allure Security also found that 20 percent of credit unions and regional banks experienced an online brand impersonation attack in the first quarter of 2022 alone.

Credit Unions play a critical role in the U.S. financial system. In its Quarterly Credit Union Data Summary for 2022 Q1, the NCUA reported that as of March 31, 2022, there were 4,903 federally insured credit unions serving approximately 132 million members. One reason people choose credit unions is because they are not-for-profit, member-owned organizations that return earnings to members in the form of reduced fees, higher savings rates, and lower loan rates. Customer service matters too. In a recent study of the best bank customer experience, 5,000 consumers ranked credit unions as six of the top ten best customer experiences delivered by financial institutions.

What does NCUA consider to be a reportable cyber incident?

The NCUA’s proposed rule defines a cyber incident as an event that without lawful authority actually or imminently jeopardizes:

  • the integrity, confidentiality or availability of information on an information system
  • an information system

The proposal goes on to define a reportable cyber incident as a substantial cyber incident, which it defines as an incident leading to one or more of the following:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that
    • results from the unauthorized access to or exposure of sensitive data
    • disrupts vital member services
    • or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of any of the following resulting from a cyberattack or exploitation of vulnerabilities
    • business operations
    • vital member services
    • or a member information system.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a
    • credit union service organization
    • cloud service provider
    • managed service provider
    • or other third-party data hosting provider
    • or by a supply chain compromise

OK, then what is a substantial cyber incident?

For the most part, the proposal seems to give credit unions discretion in defining a substantial incident:

“What a FICU [Federally Insured Credit Union] would consider to be substantial will likely depend on a variety of factors, including the size of the FICU, the type and impact of the loss, and its duration, for example. The agency expects a FICU to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency.”

Overall though, the proposal suggests that when in doubt, report. The proposal explains that if a credit union finds themselves unsure about whether or not an incident is reportable, the credit union should contact the NCUA.

What About Online Brand Impersonation/Imposter Sites?

Because Allure Security provides online brand protection-as-a-service, of course we wondered how the proposal suggests handling phishing and online brand impersonation attacks. 

The proposal explicitly states that if a phishing attempt, access attempt, or malware attack is blocked, it’s not considered reportable. 

The proposed rule does state that “…unauthorized access to or use of sensitive member information could trigger FICU reporting to the NCUA pursuant to the Unauthorized Access Guidance as well as reporting to the NCUA under this proposed rule. In such instances, the agency expects FICUs to use the reporting framework outlined in this proposed rule.” This suggests that a scammer tricking a member into revealing credentials, payment details or other sensitive information via a phishing site may well meet the definition of a reportable incident.

Of course the proposed rule goes far beyond addressing imposter sites, but credit unions should institute online brand protection anyway. Credit unions command more trust from their members. A recent study found that 17% more credit union members trust their institution than account-holders at other institutions. Losing that trust has big consequences. One-in-three consumers report closing a financial account due to fraud. In addition, a majority of consumers hold brands responsible for spoofed websites, even if the brand hasn’t done anything wrong. 

How Federally Insured Credit Unions Can Prepare for the Cyber Incident Reporting Rule

Now is the time for credit unions to ensure they have the processes, technology and talent in place to properly identify and report cyber incidents. 

A helpful activity might include taking a look at cyber incidents from the past year and asking the following questions:

  • Which of the incidents would you consider to be reportable based on what you know of the proposed rule?
  • At what point during your response to those incidents did your team have reason to believe the incident was reportable and what triggered that realization? 

The NCUA already requires federally insured credit unions to implement an incident response plan. Credit unions may want to review their plan to decide whether any processes or procedures need updating to facilitate notifying the NCUA within 72, 36 or 24 hours.

In addition, it may make sense to create a template for reporting the requested information about a reportable event to NCUA. The proposed reporting requirement does not necessitate a detailed incident report within the 72-hour window. NCUA says it will only require basic information such as:

  • A basic description of the reportable cyber incident
  • Functions reasonably believed to have been affected
  • Estimated date range of the incident’s occurrence
  • If applicable, a description of exploited vulnerabilities and techniques used
  • Identifying or contact information for the actor(s) believed to be responsible.
  • The impact to the FICU’s operations

Although, attack attribution and identifying the adversary’s tactics, techniques, and procedures strikes us as beyond the basics.

NCUA Seeking Comment on the Proposal

If you wish to comment on the proposal, don’t delay. Comment at on or before September 26, 2022. The NCUA seeks comment on such items as:

  1. The definition of a reportable cyber incident
  2. The definition of substantial
  3. How third parties currently notify credit unions  when cyber incidents occur
  4. The reporting window for cyber incidents (a 72-hour reporting window is proposed)
  5. Notification methods for reporting a cyber incident (e.g., by phone, by email, to the central office, to the regional office, etc.)
  6. A shorter reporting window for ransomware attacks
  7. Other existing regulatory provisions that should be amended as a result of the proposal
  8. Potential overlap between the proposed rule and the reporting required under Unauthorized Access Guidance
  9. Comments on specific examples of incidents that should or should not constitute reportable cyber incidents

What You Should Do Next

Post Date

New NCUA Cyber Incident Reporting Rule: Is Your Credit Union Ready?

New NCUA Cyber Incident Reporting Rule: Is Your Credit Union Ready?