ALEXANDRIA, Va.–In the first month following a new rule requiring credit unions to report cyber-incidents to NCUA, the agency is reporting it received 146 such reports, more than half of which were due to third-party compromises.
The update was provided to the NCUA during its board meeting by Ernie Chambers, director of the Critical Infrastructure Division in NCUA’s Office of Examination and Insurance, and Todd Finkler, cybersecurity advisor and coordinator in the Office of the Executive Director.
As CUToday.info reported, the NCUA board approved the cyber-incident reporting rule at its July 21 meeting, and it went into effect on Sept. 1. It requires CUs to inform NCUA within 72 hours of a reportable cyber incident, with cyber-incidents defined as a “substantial loss of confidentiality, integrity or availability caused by unauthorized access.”
What Agency is Doing With the Data
In response to a question from NCUA Chairman Todd Harper, Chambers said the information gathered to date from credit unions has helped to capture details on the services affected, attack types, compromise methods and the impact on credit union operations.
“This structured data provides us with valuable insights into the nature and scope of each incident and while we may not classify that reporting as real time in the strictest sense, it does approximate this capability and provides a valuable first-alert advantage for potentially worrisome cyber incidents,” said Chambers.
Additional Benefits
Chambers said other benefits include early detection and knowledge sharing, putting NCUA “in the know early.”
It also and fosters knowledge and collaboration within the credit union community, and the ability to create a network of support, he said.
NCUA reminded credit unions are to notify it of cyber incidents via:
* Email at cucyber@ncua.gov
* Voicemail at 1-833-282-9237