The National Credit Union Administration (NCUA) has announced an updated cyberattack reporting policy, which mandates that all federally insured credit unions should promptly report any cyber incidents they discover within 72 hours. The countdown begins once the credit unions have formed a “reasonable belief” that a reportable cyber incident has occurred. This can be triggered by various events, such as being informed by a third party about a data compromise or experiencing disruptions caused by a cyber attack.
The NCUA’s policy covers all incidents that impact information systems or compromise the integrity, confidentiality, or availability of data stored within those systems. It emphasizes that credit unions should report incidents that lead to network or system compromise as a result of unauthorized access to sensitive information or the exposure of such information. It also includes disruptions to services or operational systems.
The NCUA provides specific examples of cyber incidents that credit unions should report. These include distributed denial-of-service (DDoS) attacks, which can disrupt business operations or services. Additionally, unexpected malfunctions that block customers’ access to their accounts for a significant period of time, unauthorized tampering of systems, and accidental exposures of sensitive data should all be reported. The policy also states that credit unions must report any data breaches or disruptions that occur as a result of a cyber attack on third-party service providers.
However, the NCUA clarifies that not all cyber incidents need to be reported. Failed attacks, like phishing attempts that were successfully blocked, do not fall under the reporting requirements of the new policy. The NCUA wants to capture the reporting of substantial cyber incidents, and the determination of what is considered “substantial” depends on various factors such as the size of the credit union, the type and impact of the loss, and the duration of the incident.
The revised cyber incident reporting rule is set to go into effect on September 1. Credit unions are advised to continue following the previous reporting framework for incidents involving unauthorized access to user data that do not fall under the new rules.
Credit unions play a crucial role in the financial sector, and their adherence to robust cyber incident reporting policies is vital for maintaining cybersecurity. Timely reporting allows for swift and effective response measures to be implemented, reducing the potential damage caused by cyber attacks. By requiring credit unions to report within 72 hours, the NCUA aims to enhance cyber incident detection and response capabilities across the industry.
Cybersecurity threats are continuously evolving, and credit unions must stay vigilant to protect themselves and their customers. Reporting incidents promptly helps create an environment of information sharing, enabling the identification of trends, vulnerabilities, and emerging cyber attack techniques. This information can then be used to strengthen cybersecurity defenses and raise awareness among credit unions.
In an era when cyber attacks are becoming increasingly sophisticated and prevalent, the NCUA’s updated cyber incident reporting policy is a proactive step towards combating cyber threats. It not only strengthens the cybersecurity posture of credit unions but also bolsters the overall resilience of the financial sector. By ensuring that all cyber incidents are promptly reported, the NCUA and credit unions can work together to mitigate the risks of cyber attacks and safeguard the financial well-being of their members.