Reportable Cyber Incidents: An Overview of the NCUA’s New Notification Rule

Note: This article was updated on August 14, 2023. See the update log at the bottom of the article. 

On February 16, 2023, the National Credit Union Administration (NCUA) Board unanimously approved a rule titled "Cyber Incident Notification Requirements for Federally Insured Credit Unions." The rule is effective as of September 1, 2023. Let's take a look at how we got here, what the final rule says, and what credit unions need to do in response. 

How We Got Here 

In July 2022, the NCUA published the proposed version of the rule. (Read a summary on our blog: The Proposed Cyber Incident Notification Requirements for Credit Unions. It does contain different information than what will be covered here.) 

The proposed version had a 60-day comment period. During that window, 17 comments were submitted by credit unions, trade associations, leagues, service providers, and individual people. The NCUA provided a summary of these comments, along with responses in the final rule. 

• Some commenters expressed thoughts about the rule. Twelve supported it and four disagreed with the premise. The NCUA responded, "the agency has a statutory obligation to ensure the safety and soundness of the credit union system." As such, the NCUA needs to know when cyber incidents happen that could impact credit unions or their members. 
• Some commenters asked for clarity. Specifically, there was some confusion about the reporting process, examples of "reportable cyber incidents," and policy expectations. The NCUA promised future guidance on these topics. See the "Additional Guidance" section below for details. 
• Some commenters wished for coordination. As other federal and state agencies publish incident notification requirements (like CISA's anticipated upcoming cyber incident reporting rule), the NCUA said they "intend to coordinate" as much as possible. 
• Some commenters inquired about confidentiality. Five commenters asked about how the NCUA will make sure their data is protected by "confidentiality controls and limits on the number of agency personnel with access to the reported information." They also asked that the data be exempt from Freedom of Information Act (FOIA) requests. The NCUA confirmed the data would be secure and exempt from FOIA requests. 
• Some commenters wondered how exams might be impacted. To quote the rule, "this rule does not change the examination and supervision process." Examiners may still review cyber incidents, as part of the exam. For additional information about what examiners will be looking at, see the "Incident Response" component of the NCUA's Information Security Examination procedures.

In short, the commenters provided helpful feedback and asked good questions. While the comments did not largely affect the final rule, the comment period did result in clarity and the promise of additional guidance from the NCUA, which was published on August 14, 2023. 

What the Final Rule Says 

The final rule requires federally insured credit unions to notify the NCUA as soon as possible and within 72 hours of believing the credit union experienced a reportable cyber incident. Let's break this down a bit. 

Who? 

The rule applies to federally insured credit unions. This includes federal credit unions, federally insured state-chartered credit unions, and all federally insured corporate credit unions. 

When? 

Credit unions must notify the NCUA as soon as possible and within 72 hours. The rule explains "this is the same reporting requirement CISA must implement under the Cyber Incident Reporting Act." 

What? 

The definition of "reportable cyber incident" is multi-faceted. 

Part 1: It starts with the definition of a cyber incident, which the NCUA adopted as-is from NIST. 

"An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system." 

Part 2: It must also be a "substantial" cyber incident. When asked about the legal definition of substantial, the NCUA quoted the Merriam-Webster Dictionary: 

"Something that is important, essential, considerable in quantity, or significantly great."  

Letter to Credit Unions 23-CU-07 specified that a credit union's determination of the term "substantial" could depend on several factors, such as "the size of the credit union, the type and impact of the loss, and its duration." 

Part 3: It must also lead to one or more of the following. 

1. "A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.
2. A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
3. A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise." 

Part 4: There is an exclusion for certain intentional events. 

"A reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system." 

It is worth noting that certain events which were originally conducted "in good faith" could turn into a reportable cyber incident. For example, if a system was offline due to updates. This is a good-faith activity. If, however, the system update failed and there were unplanned, widespread outages, this would be reportable, according to the final rule (Page 7). 

How? 

Due to the nature of "reportable cyber incidents," each event will need to be analyzed to determine if it qualifies. That said, to quote the final rule one last time, "anytime a FICU is unsure as to whether a cyber incident is reportable, the Board encourages the FICU to contact the agency." 

That said, here is a tool to help guide you through the thought process. Follow the decision tree below to help you figure out if your situation would be best classified as a "reportable cyber incident." 

Download a PDF version of the decision tree. 

Additional Guidance 

On August 14, 2023, the NCUA published their Letter to Credit Unions 23-CU-07 Cyber Incident Notification Requirements. The letter provides credit unions with a summary of the rule, a notification framework, and implementation guidelines. 

The guidance states credit unions may notify the NCUA of a reportable cyber incident in one of two ways: 

1. By Phone: 833-CYBERCU (833-292-3728)
2. By Email: Use the NCUA Secure Email Message Center to send a secure email to cybercu@ncua.gov. Refer to the instructions provided by the NCUA for details. 

What Credit Unions Need to Do 

The NCUA recommends five steps for implementing these new requirements. 

• Update Response Plan. Review your existing incident response plan and ensure it documents how, when, to whom, and by whom notice of a "reportable cyber incident" would be provided. 
• Review Contracts. Review third-party agreements to ensure language exists requiring them to notify your credit union of a cyber incident in a timely manner. 
• Train Employees. All employees should receive training on how to prevent, detect, and respond to a cyber incident. Certain employees should receive targeted training on ensuring the requirements of this rule are met. For additional resources, see our article on Security Incident Management Training: What Employees Need to Know. 
• Monitor and Review. Keep an eye on how these changes impact your incident response process. Conduct exercises and tests, and document lessons learned to ensure the Incident Response Plan is effective. 
• Document All Incidents. This means all incidents, not only the ones which would be classified as a reportable cyber incident. For more on this, see our article on 5 Benefits of an Incident Tracking System. 

If you are looking to take your incident management process to the next level, check out Tandem Incident Management. This product is designed to help credit unions create and manage a formal Incident Response Plan, including tracking incidents as they occur. For more information, sign up to watch a demo today. 

08/14/2023 Update: This article was updated to address the NCUA's Letter to Credit Unions 23-CU-07 Cyber Incident Notification Requirements.