On July 21, 2022, the National Credit Union Administration (NCUA) published a new proposed rule titled "Cyber Incident Notification Requirements for Federally Insured Credit Unions." In this article, we will review the proposed rule; compare the requirements with the recently published incident notification rule for banks by the FDIC, OCC, and Federal Reserve; and discuss what credit unions can do in response.
About the Proposed Rule
The proposed rule would require credit unions to notify the NCUA "as soon as possible and no later than 72 hours after the federally insured credit union reasonably believes that it has experienced a reportable cyber incident." Let's define some terms and talk about what this means.
Timing: ASAP and within 72 Hours
This recommended timeframe harmonizes with the recently published Cyber Incident Reporting Act, which requires CISA to publish an incident notification rule by September 2025, per the NCUA. The NCUA decided to get a head start, saying "it would be imprudent in light of the increasing frequency and severity of cyber incidents to postpone a notification requirement until after CISA promulgates a final rule."
The timeframe of 72 hours doubles the time requirement of the incident notification rule for banks, which requires notice as soon as possible and within 36 hours.
Applicability: Federally Insured Credit Unions
This proposed rule would apply only to federally insured credit unions (FICUs), federally chartered corporate credit unions, and federally insured, state-chartered corporate credit unions.
It does not apply to privately-insured state-chartered credit unions or to credit union service organizations (CUSOs).
Scope: Reportable Cyber Incidents
This is where it gets interesting. There are two important definitions here: "cyber incident" and "reportable cyber incident."
The NCUA defines a "cyber incident" (page 27) as:
"An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or that actually or imminently jeopardizes, without lawful authority, an information system."
While similar to the definition of "computer-security incident" from the incident notification rule for banks and "cyber incident" from the Cyber Incident Reporting Act, the NCUA's definition features one unique quality. Where the other agencies emphasize the incident must "actually jeopardize" or cause "actual harm," the NCUA's proposed rule expands the scope and uses the phrase "actually or imminently jeopardizes."
This is similar to the proposed version of the incident notification rule for banks, which talked about "actual or potential harm." Based on comments the federal banking agencies received, they ultimately streamlined their definition to only "actual harm" to reduce "unnecessary notification" and limit the burden placed on banks.
Reportable Cyber Incident
The NCUA defines a "reportable cyber incident" (page 26) as:
"Any substantial cyber incident that leads to one or more of the following:
A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise."
At first glance, it would be reasonable to assume this is the equivalent to the federal banking agencies' definition of "notification incident." Yet there is a substantial difference that comes down to the words "would" and "could."
- The federal banking agencies want to know about a particularly consequential subset of computer-security incidents. These are incidents which would cause "material" harm, causing the bank to halt operations for an extended time, fail as a business, or even pose a threat to the financial stability of the United States.
- The NCUA wants to know about any kind of "substantial" cyber incident. (Note that "substantial" is not specifically defined and is, according to the NCUA, left up to the reader's "reasonable judgement.") These are incidents which could cause a security breach or disruption to operations.
Examples of Reportable Cyber Incidents
The NCUA's proposed rule cites eight examples of reportable cyber incidents (page 10), including:
"A computer hacking incident that disables a FICU's operations.
A ransom malware attack that encrypts a core banking system or backup data.
Third-party notification to a FICU that they have experienced a breach of a FICU employee's personally identifiable information (PII).
A detected, unauthorized intrusion into a network information system.
Discovery or identification of zero-day malware in a network or information system.
Internal breach or data theft by an insider.
A systems compromise resulting from card skimming.
Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account."
The first two items on the list are shared between the NCUA's proposed rule and the incident notification rule for banks. The remainder of the items on the NCUA's list are additional things which credit unions would be required to report.
If you compare the two rules, you may notice the lack of reporting requirements for third parties. Unlike the federal banking agencies who were granted authority over certain third parties through the Bank Service Company Act (BSCA), the NCUA does not have regulatory authority over third-party service providers. The NCUA is exploring how they may obtain this authority, but for the time being, they instead plan to require credit unions to report "substantial" cyber incidents related to their third parties, as shown in the examples above.
How to Report Incidents
The proposed rule would require credit unions to "notify the appropriate NCUA-designated point of contact […] via email, telephone, or other similar methods that the NCUA may prescribe."
The proposed rule matches the incident notification rule for banks in that it does not require a standard reporting form. However, the NCUA's commentary on the proposed rule states, "the agency will require only certain basic information" (page 11) such as:
- A description of the incident, including what it affected.
- The estimated date range of the incident.
- A description of how the incident was carried out.
- Identification of the incident's perpetrators.
- The impact to the credit union's operations.
Estimated Annual Burden
Perhaps the most fascinating aspect of the proposed rule was the estimated annual burden and how it compares to the incident notification rule for banks.
- The federal banking agencies estimated the "reporting" component of their incident notification rule would add a regulatory burden of 450 hours, assuming approximately 150 incidents at 3 hours per report. (Note: This is total across all supervised entities from the three agencies.)
- The NCUA estimates the reporting requirement would add "one-hour annual reporting burden on each FICU, for a total of 4,903 hours" (page 24). An estimated number of cyber incidents which may occur is not noted.
In addition to the reporting requirement itself, neither of these estimates factor in the amount of time it takes a financial institution to determine if an incident is "reportable" or not. Since the incident notification rule for banks went into effect, several banks have reached out to us asking, "Is this specific scenario a notification incident?" I personally have spent more than three hours helping clients determine how to best answer this question, which leads me to wonder if even the estimated annual burden for banks was underestimated. (For the record, the answer to their question usually looks like, "It depends, but it never hurts to go ahead and report it.")
The agencies welcome comments on their estimates. If you work for a credit union, it could be very helpful if you looked at the incidents you experienced in the last year and asked these questions.
- Based on the definition, which of these would be considered a "reportable cyber incident?"
- How much time did it take you to determine if it was a "reportable cyber incident?"
- How much time would it have taken to report this incident to the NCUA?
- Was the time you spent on this process greater than "one-hour?"
If so, this would be valuable information for you to share with the NCUA, which is a great segue into our final section.
What Can Credit Unions Do?
The first and most important thing credit unions can do is let your voice be heard. You can comment on the NCUA's proposed rule until September 26, 2022, sixty days after it's publication in the Federal Register. Share your thoughts or answer some of the questions the NCUA asked about the proposed rule (pages 19 – 21).
Comments may be submitted using the RIN 3133-AF47 via the following methods.
- Online: https://www.regulations.gov/docket/NCUA-2022-0099
- By Fax: (703) 518-6319
Include "[Your Name] – Comments on Proposed Rule: Cyber Incident Notification Requirements for Federally Insured Credit Unions" in the transmittal.
- By Mail:
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428
If your credit union subscribes to Tandem Incident Management or Tandem Policies, recommended updates will be made to the Incident Response Plan and Incident Management policy following the publication of the final rule. Keep an eye on the Software Updates Blog or subscribe to Tandem's monthly newsletter for additional information.
To learn more about how Tandem can help your credit union more effectively manage incidents and incident reporting requirements, check out Tandem.App/Incident-Management-Software.