Will You Be Ready When NCUA’s Cyber Reporting Rule Takes Effect Sept. 1?

Sponsored by Kaufman & Canoles, P.C., a CUES Supplier member

Cyber incidents are in the news and on the rise.  Now, there is a cyber incident mandatory reporting rule unanimously adopted by the National Credit Union Administration board members scheduled to take effect Sept. 1. It will require any federally insured credit union to report a “reportable cyber incident” to its contact at NCUA as soon as possible—and in no event later than 72 hours after it reasonably believes it has experienced a cyber incident that qualifies as reportable. Alternatively, the rule requires reporting within 72 hours of a credit union being notified by a third-party source of a reportable cyber incident.

NCUA’s focus on cybersecurity as a stated supervisory priority coupled with this new three-day cyber reporting rule signal the importance placed upon safekeeping data of credit union members. The regulator has made clear that credit unions will be held to high standards for cybersecurity and data protection, preservation and privacy. 

This rule embodies another layer of compliance requirements addressed to credit unions under NCUA protocols beyond applicable laws at the state level regulating data breaches. The rule applies to ransomware incidents that are disruptions, and equally to network outages and privacy incidents, such as the accessing of member information without authority, whether the incident occurs at the credit union or on the watch of a vendor like a service provider.  

Reportable Cyber Incidents, According to the Rule

What exactly is a “reportable cyber incident” that mandates reporting and triggers the new rule? The following descriptions from 12 C.F.R. Section 748.1(c)(1) provide helpful guidance, with the understanding that NCUA will likely provide further insight before Sept. 1:

            (1) “[a] substantial loss of confidentiality, integrity, or availability of a network or member information system … that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services … or has a serious impact on the safety and resiliency of operational systems and processes”; 

            (2) “[a] disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities”; or 

            (3) “[a] disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”  

NCUA proffered that if a credit union is made aware that a substantial level of sensitive data is accessed, modified or destroyed unlawfully or if the integrity of a network or information system containing membership data or information is compromised, then the cyber incident rises to the level of being reportable.   

The definitions are framed broadly but notably, there is a qualifier that the quantum of data must be substantial. It is not intended that minor, insignificant or inconsequential events will be subject to mandatory reporting under the rule. This means that credit unions must engage in a factually specific analysis of the unique circumstances of the cyber incident and evaluate how it impacts the credit union and its membership.  

An incident response plan, combined with data management and due diligence exercised with regard to vendors, is the recommended course of action to ensure optimal compliance under this new rule. Taking stock of existing policies, procedures and protocols and tightening them to increase cybersecurity protections and safeguards is particularly appropriate now.  

Build, Implement and Test Response Plan

What should a credit union specifically do in response to this new rule? 

1. Start preparing now. Don’t wait until the summer to prepare for Sept. 1. Cyber incidents present unique operational challenges, so mandatory reporting procedures need to be ironed out and put into place well beforehand to avoid compounding a difficult situation.
2. Make sure there is a data incident response plan in place that complies with the three-day cyber reporting rule. A response plan may include the following parameters:

• Check for compliance in identifying and escalating incidents during the initial phases of an incident response to ensure prompt notification to NCUA.  
• Establish criteria for assessing the point when the incident becomes substantial based on specific characteristics of the credit union.
• Identify responsible parties who will decide whether the incident is reportable.  
• Confirm consistency between the credit union’s responsibilities under the new rule and existing state laws, guidance and contracts.  
• Document the notification format for NCUA, including content, recipient, and method of providing and documenting.  
• Set a procedure for documenting notifications to NCUA and when notification is determined not to be required.  
• Prepare form notices to be used quickly in the event of an incident. 
• Distribute the response plan to all parties tasked with implementation of the plan and retain hard and electronic copies of the plan in the abundance of caution and in the event of inaccessibility.  
• Drill on the new incident response plan to identify challenges, lags, and gaps and increase response times, effectiveness and preparedness.  
• Take stock and inventory sensitive data, including where it is stored, and review the retention period for all service providers/vendors.  
• Identify and boost understanding through audits of where sensitive data that may be vulnerable to a cyber incident reside. 
• Evaluate service provider relationships and contracts to ensure compliance with the new rule at all levels, paying attention to notification duties for sensitive member information and data.  
• Note that service providers are still governed by the new rule even if they do not have access to membership data but provide infrastructure services.

Lisa Hudson Kim is an experienced attorney practicing with the credit union team in the Virginia Beach, Virginia, office of Kaufman & Canoles, P.C., a CUES Supplier member. Kim has more than two decades of commercial litigation experience, including compliance issues and representation of credit unions and financial institutions throughout Virginia and North Carolina state and federal courts. Reach her at 757.491.4017.