NCUA’s New Cyber Reporting Rule
By Jennifer Williams
August 25, 2023
The date for compliance with NCUA’s new cyber reporting rule is coming up quickly on September 1, 2023. Hopefully your credit union is prepared and ready to comply. If not, don’t despair, SW&M can assist if you still need assistance, after reviewing the below, as well as our previous two blog posts – Breaking Down the Meaning of Reportable Cyber Incidents and Cyber Incident Reporting Guide: The Top 3 Urgent Postattack Response Steps. While the reporting requirement of seventy-two (72) hours varies from the FDIC’s 2021 detail-intensive reporting requirement of thirty-six (36) hours but may align more closely with the upcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) [with the reasonable belief standard and the seventy-two-hour reporting requirement] where the Cybersecurity and Infrastructure Agency (CISA) has until 2025 to publish a final rule.
Where should you start, or what should you review that you’ve already done…
Start with your credit union’s Incident Response Plan. Have you reviewed it and ensured that it aligns with the new reporting timeframe? Does it detail the different requirements for reporting to the state regulators, if your state requires, including the timeframe and what needs to be reported? Is there a template to fill out to ensure those reports contain all the required details and can be completed precisely and timely? Does it include notification to members, when required, and include templates?
For all new contracts, attempting to include provisions requiring timely notification of cyber incidents, particularly for critical vendors is recommended. Depending on your credit union’s risk appetite, you may want to attempt to add addendums to critical vendor contracts to ensure timely notification. However, it is a challenging space as it’s clear the reporting burden is on the credit union, but the vendor would have to notify the credit union of the occurrence of any incident. Some vendors have challenged notification timeframes, but now that there’s a federal regulation and you can outline exactly what information you need from the vendor, they may be more amenable to inserting an addendum to an existing or a provision into a new contract.
Employee training is always a critical component of rule changes. Credit unions may be under the impression that only the Tech Team or the person designated to report under Part 748 needs to know about this rule. However, all employees should be informed of the new rule and made aware that the credit union is now required to report cyber incidents, so they, as employees, are required to report too should they identify an incident. Training shouldn’t be conducted just once (at the time the rule is implemented or when new employees are hired), but on an ongoing basis to ensure awareness and compliance.
Just like your credit union conducts regular business continuity tests, your credit union should also monitor and test the cyber incident reporting process. It’s possible to combine both a business continuity test and a cyber incident reporting test to evaluate the effectiveness and efficacy of both programs. A test at the beginning of the compliance period would be a best practice and then an annual test thereafter to ensure that the credit union is prepared, adjusts its process should they need to from previous tests, and regularly updates the Incident Response Plan.
Documentation and record retention of all cyber incidents, whether reportable or not, should be completed by the credit union. For larger credit unions, a risk committee or a committee made up of your risk management and technology teams may already review incident reporting on a monthly or quarterly basis as a part of its regular review of cyber risks. Meeting notes of these committee meetings that go into detail about the cyber incident should be sufficient or one department or representative may want to create a template report to document incidents (which may be more manageable at smaller credit unions without such committees). An incident tracking log would be beneficial to determine existing and potential cyber security risk and track progress.
Since our last post, the NCUA has issue a Letter to Credit Unions to assist with compliance with the implementation of the final rule. The NCUA included two appendices, A and B, which provide great examples of reportable and nonreportable incidents. Member information that was compromised because of card skimming at a credit union’s ATM is included in Appendix A and a reportable incident. A social engineering attack leading to fraudulent wire transfers is also a required reporting example, so if your accounts payable team receives an altered invoice or your wire team receives an altered mortgage payoff and pays it via wire, these incidents should be reported to NCUA. These NCUA examples are slightly different than many of the other examples and show the criticality of training all employees to ensure the requisite incidents are reported in accordance with the rule. While all scenarios would be impossible to capture, these appendices provide a great outline and indication of NCUA’s expectations to make compliance much easier.
When you report, the NCUA is not expecting a fully comprehensive debrief on the incident. At the time of reporting, NCUA wants basic information, not indicators of the compromise, specific vulnerabilities, PII, or attachments. NCUA wants to know: 1) Credit union name; 2) Credit union charter number; 3)Name and title of individual reporting the incident; 4) Telephone number and email address of the individual reporting; 5) When the credit union reasonably believed a reportable cyber incident took place; and 6) A basic description of the reportable cyber incident (what functions were, or are reasonably believed to have been affected or if sensitive information was compromised). There are two ways that a credit union can report a cyber incident:
- Call the NCUA on 1.833.292.3728 and leave a voicemail; or
- Send a secure message via National Credit Union Administration Secure Email Message Center.
While the cyber reporting rule may seem straightforward, there are nuanced situations that may arise in a credit union’s normal course of business. If your credit union is dealing with a potential cyber incident or wants to address any of the aforementioned proactively, please reach out to SW&M for draft templates for your Incident Response Plan or a review of the Plan, review of contracts (new and existing) of critical vendors, assistance with testing or training, or any assistance in regard to compliance and implementation of the new rule.