ALEXANDRIA, Va.–NCUA has sent a Letter to Credit Unions with a reminder that effective Sept. 1, all federally insured credit unions must notify the agency as soon as possible, and no later than 72 hours, after the CU reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
As NCUA noted, the letter summarizes the amendments to part 748, known as the Cyber Incident Notification Requirements rule. It also provides instructions on what and how to report to the NCUA, and includes examples of both reportable and non-reportable incidents. To facilitate incident reporting, the NCUA is also enclosing a cyber incident reporting quick reference guide.
“The Cyber Incident Notification Requirements rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system,” the agency said.
The Definition
The rule then defines a reportable cyber incident as any substantial cyber incident that leads to one or more of the following outcomes, according to NCUA:
- “A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”
- “A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.”
- “A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”
‘Reasonable Judgement Expected’
“The overall definition of a reportable cyber incident is intended to capture the reporting of substantial cyber incidents,” NCUA said. “A credit union’s determination of ‘substantial’ depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration. The NCUA expects a federally insured credit union to exercise reasonable judgment in determining whether it experienced a substantial cyber incident that is reportable to the agency. If a federally insured credit union is unsure as to whether a cyber incident is reportable, it should contact the NCUA as soon as possible.”
The full letter can be found here.