Cyber Incident Notification Requirements

The NCUA’s rule on cyber incident notification requirements for federally insured credit unions will become effective on September 1, 2023.?On Monday, the NCUA sent out a Letter to Credit Unions that includes further guidance, reference materials, and NCUA expectations regarding the requirements for credit unions to comply with the new regulation.?The Letter defined and included examples of, reportable and non-reportable cyber incidents.?The Letter was clear in stating that reportable cyber incidents are only intended to capture “substantial” cyber incidents, which, in addition to the examples cited in the reference materials, should be determined in the credit union’s reasonable judgment on a case-by-case basis based on certain factors, including the size of the credit union, the type and impact of the loss, and the duration of the incident.?

The Letter also included a notification framework for credit unions in the event they reasonably believe, or are notified, a reportable cyber incident has occurred (i.e. reportable cyber incidents must be reported no later than 72 hours following the credit union’s reasonable belief that it experienced a cyber incident), how to report the incident to the NCUA, and the contents of the report (and what not to include in the report).?

If you have not already, your credit union should take the following steps in light of the new rule:

1)????Update the credit union’s existing incident response plan(s) to incorporate or include the requirements under this rule.?It is also important as part of any update to advise and train employees about the new NCUA requirements so your employees understand their responsibilities in identifying and reporting any cyber incidents to appropriate personnel at the credit union.

2)????Review agreements (starting with critical vendors) to make sure that timely notification of a cyber incident is addressed in the agreement.?Although the regulation does not require credit unions to modify existing vendor agreements in light of the rule change, it is best practice to receive timely notification of security breaches attributable to your vendors, especially those breaches that rise to the level of a “reportable cyber incident” under the new rule.

For some final takeaways, the Letter also emphasized that it continues to be important to document all cyber incidents, even if they do not rise to the level of being reportable, as best practice to serve as a valuable resource in identifying, detecting, and mitigating future incidents.?Also, please remember that the requirements under this NCUA rule are in addition to, and do not replace, other cyber incident reporting requirements under other applicable federal or state laws.?In addition, member notification requirements found in Part 748, Appendix B are not impacted by the new rule.?Therefore, it remains important to continue to follow and update accordingly, any and all changes to notification requirements under other applicable federal and state laws.

Feel free to reach out to us if you have any questions about the new rule or any of the guidance issued by the NCUA this week.???????????????