Breaking Down the Meaning of ‘Reportable Cyber Incidents?’
To piggyback off our prior blog post, in light of the growing number of cyber incidents disrupting credit union operations, the NCUA came down with a final rule that, effective September 1, 2023, will require federally insured credit unions (including federal chartered corporate credit unions and federally insured, state-chartered corporate credit unions) to notify the NCUA of any cyber incident that rises to the level of a “reportable cyber incident.” Specifically, notification will be required as soon as possible but no later than 72 hours after a FICU reasonably believes that a reportable cyber incident has occurred or within 72 hours after being notified by a third-party of a reportable cyber incident, whichever is sooner.
NCUA’s rule was adopted to get ahead of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) adopted by Congress which will not go into effect until 2025 and will require covered entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security (CISA) no later than 72 hours after the entity reasonably believes that a covered cyber incident has occurred. NCUA believed it was prudent to have notification requirements in place now to bridge the gap between now and CIRCIA’s effective date and aimed to align the final rule with the reporting framework under CIRCIA. It also intends to coordinate with CISA to avoid duplicate reporting to both the NCUA and CISA.
The NCUA rule defines a “reportable cyber incident” as any substantial cyber incident that causes
- a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of unauthorized access to or exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes,
- a disruption of a credit union’s business operations, vital member services, or a member information, or
- a disruption of a credit union’s business operations or unauthorized access to sensitive data either facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider or other third-party data hosting provider or supply chain compromise.
- An example of what would be considered reportable under the first prong would be an unplanned outage affecting all or a significant number of members and employees that arises out of a failed system upgrade or change. This would not include routine downtime for system updates or maintenance.
- A reportable cyber incident under the second prong would include, for example, a distributed denial of service (DDoS) attack that results in a disruption of member account access. However, blocked phishing attempts or any other failed attempts to access the FICU’s systems or unsuccessful malware attacks are not reportable.
- Reportable cyber incidents under the third prong are only those affecting a third-party the FICU has a relationship with. Importantly, the clock for the 72 hour notification period starts on the earlier of the FICU being informed by the third-party of the incident or upon the FICU forming a reasonable belief that it has occurred.
Finally, the rule includes an exception for any event where the cyber incident is performed in good faith by an entity in response to a request by the owner or operator of the information system (e.g. penetration testing conducted by a third-party contracted by the FICU).
We can expect more detailed guidance from the NCUA providing additional examples of reportable and non-reportable cyber incidents in the near future.