ALEXANDRIA, Va.–NCUA has put out for comment a proposal that would require credit unions to notify it when cyberbreach occurs.
But the proposal, technically Part 748, Cyber Incident Notification Requirements, only requires CUs to do so when they have a “reasonable belief” a cyberbreach has occurred, and then credit unions have 72 hours to contact the federal regulator.
Under the proposed rule, a federally insured CU would be required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.
Following the agency staff presentation on the proposed rule about cyber incident notification requirements, NCUA Board Chairman Todd Harper said the rule is “important because of rapidly evolving cybersecurity threats and the urgent need to maintain a heightened state of awareness and vigilance across credit unions and broader financial services systems…As cyberattacks grow in sophistication and scope, we need all hands on deck to protect the credit union system.”
Harper noted the proposed rule would set parameters for what constitutes a reportable incident and the minimum notification requirements, and added that by doing so the proposal would align with the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March.
Alignment With Other Agencies
“The proposed rule would also bring the NCUA’s cyber incident reporting framework into greater alignment with those of other federal banking regulators,” Harper said.
Harper said the agency expects credit unions to exercise their best judgment in determining whether a substantial cyber incident is reportable to the agency.
“The NCUA board anticipates a credit union would need sufficient time to form a reasonable belief that it has experienced a reportable incident. Under this proposal, the 72-hour clock starts only once the credit union has formed a reasonable belief that it has experienced a reportable cyber incident,” Harper said.
Have Questions? Contact NCUA
Given the frequency and severity of cyber incidents within the financial services industry, Harper said NCUA is encouraging credit unions to contact the agency if they are uncertain about whether a cyber incident is reportable.
“And, this point bears underscoring, the proposed rule emphasizes the earliest possible initial report of an incident, instead of a comprehensive forensic analysis which takes longer to report,” he said.
Hauptman: A Proposal That is ‘Realistic’
NCUA Vice Chairman Kyle Hauptman said there is “no doubt” cyber security is critically important, but he also called for being “realistic about what is necessary.”
“We don’t want a bad actor to cause even more damage via a permanent regulatory burden,” Hauptman said. “One somewhat-imperfect example is that millions of Americans take their shoes off in airports every day because 21 years ago, one guy happened to use his shoes to take on-board what could have been delivered in a variety of other ways.”
Other Points Made
Hauptman said he was appreciative that NCUA staff approached the rule carefully, and noted:
- This proposed rule is about reporting to NCUA only, although additional reporting may be required by the Cybersecurity and Infrastructure Security Agency (CISA) once they promulgate their rules.
- It’s important to note that NCUA does not publicize the name of credit unions that report cyber incidents.
- Requirements on notifying credit union members and the public are not changing or being considered.
- “In this proposed rule, we are asking for comment on what should/should not be considered a reportable incident,” he said. “As it is proposed the definition follows the Cyber Incident Reporting for the Critical Infrastructure Act of 2022, part of the Consolidated Appropriates Act of 2022.”
- CUs are being asked to report as soon as possible and not later than 72 hours after the CU reasonably believes an incident has occurred. The timeframe of 72 hours is what CISA will require in 2025.
NCUA Must Also Follow Rules
“I should add that NCUA itself faces similar requirements. This is something I asked about since it is so important the government understand what it’s like to live under the same rules,” said Hauptman. “NCUA is required to report information security incidents to CISA within one hour of being identified by the agency’s top level Computer Security Incident Response Team, Security Operations Center, or information technology department.”
Hauptman further noted no timelines for providing a detailed incident assessment are being considered or changed by the NPR.
The vice chairman called on all stakeholders to file comment.
A Moving Target
Board Member Rodney Hood said NCUA must accept that cybersecurity threats are an ongoing risk, both to financial institutions' operations and to their reputations.
“Moreover, we have to accept that the risk is a moving target,” Hood said. “Today’s rule before the board reflects this reality. Every credit union must recognize that their institution is just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency’s cybersecurity review and supervision capabilities will necessarily have to be more robust in the days ahead. Today’s rule is a step forward in that endeavor.”
Comments on the proposed rule must be received no later than 60 days following publication in the Federal Register.