The NCUA issued a letter to credit unions 23-CU-07 which provides credit unions with the awaited guidance on notifying the NCUA after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident. The notification requirement starts on September 1, 2023.
The letter summarizes the amendments to part 748, known as the Cyber Incident Notification Requirements rule. It also provides instructions on what and how to report to the NCUA.
The letter also includes links to:
Notification Framework
Timeframe
The rule requires a federally insured credit union that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes that it experienced a reportable cyber incident. The 72 hours begins when the
credit union forms a reasonable belief a reportable cyber incident has taken place.
When a federally insured credit union receives a notification from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident, the credit union has 72 hours to report to the NCUA. This timeframe starts from the moment the credit union
receives the notification from the third party or when the credit union forms a reasonable belief that such an incident has occurred, whichever is sooner.
How to Report
To report a cyber incident, federally insured credit unions may notify the NCUA through one of the following channels:
What to Report
Federally insured credit unions should be prepared to provide as much of the following information as is known at the time of reporting:
- Credit union name;
- Credit union charter number;
- Name and title of the individual reporting the incident;
- Telephone number and email address;
- When the credit union reasonably believed a reportable cyber incident took place; and
- A basic description of the reportable cyber incident, including what functions were, or are reasonably
believed to have been affected or if sensitive information was compromised.
At the time of initial notification, do not send the NCUA:
- Sensitive personally identifiable information;
- Indicators of compromise;
- Specific vulnerabilities; or
- Email attachments.
What to Expect
If the NCUA requires additional information or clarification, the NCUA will follow up with the credit union directly.
Implementation Guidelines
Credit unions should complete the following steps when implementing the rule:
Update Response Plan
Review the existing incident response plan and update it to align with the new rule. This includes incorporating the reporting requirement timeframes and procedures for notifying the NCUA. Ensure the plan includes clear guidelines for identifying reportable incidents and escalation procedures for
notifying management and the NCUA.
Review Contracts
Review contracts with critical service providers to determine if there are provisions requiring timely notification of cyber incidents.
Train Employees
Provide training to all employees, emphasizing the importance of reporting cyber incidents and the potential consequences of noncompliance. Ensure that employees understand their role in identifying and reporting incidents and provide them with necessary resources and guidance.
Monitor and Review
Regularly monitor and review the cyber incident reporting process to validate its effectiveness. Conduct periodic tests and exercises to evaluate the efficiency of the incident response plan and reporting procedures. Use lessons learned from these exercises to make improvements and update the
plan.
Document All Incidents
Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain records in accordance with the organization’s retention policies. This documentation is essential and serves as a valuable resource for future incident response and reporting efforts. Documentation
also provides an audit trail to support management’s reporting decisions.
Specifically, document:
- Indicators of compromise;
- Network information or traffic regarding the attack;
- The attack vector;
- Information on any exfiltrated data; and
- Any forensic or other reports about the reportable cyber incident.
