NCUA’S LATEST CYBER SECURITY REPORTING REGULATION BECOMES EFFECTIVE SEPTEMBER 1
Tuesday, August 15, 2023
As we reported in our Client Update of February 22, the NCUA Board approved in February of this year by a unanimous 3-0 vote, a final rule whereby federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.
Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack.
The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe.
Today NCUA issued a Letter to Credit Unions providing guidance on this new rule as it is scheduled to go into effect in two weeks.
The Letter to Credit Unions can be accessed through the link below:
As we have discussed in previous Client Updates, NCUA is under a great deal of pressure from Congress to take every reasonable action on cyber security possible.
With a tendency to believe that every challenge is best dealt with by a new regulation, NCUA has enacted three cyber security regulations over the past three years. This cyber reporting regulation is the most recent of those.
It is unlikely to be the last.
Interestingly, the rule leaves some matters for what should be reported and what does not require reporting to the judgment of the credit union.
The rule does not define the key terms that will determine how far-reaching it may potentially be. For example, what constitutes a “substantial” breach? Does the incident actually “disrupt” member service? What is a “vital” member service? How is “reasonable belief” defined?
So, there will be unquestionably some determinations that might – and very well may – be areas of disagreement between a credit union and NCUA as to whether reporting is required.
Any credit union with a question as to whether or not a report should be made to NCUA should be prepared to either err on the side of “when in doubt” reporting (problematic as reputation risk almost always accompanies reporting to a federal agency that might then require the credit union to notify its impacted members) or compiling a complete internal analysis that ensures the credit union’s documentation of why it chose not to report to NCUA is extensive and persuasive (also a challenge but potentially less of a reputation risk if the documentation is strong.).
This need for solid documentation if a potential cyber incident is not reported will become even more demanding because it is obvious from all we are hearing from our credit union clients that NCUA exam teams are dedicating specific resources at each 2023-24 exam to cyber security.
This new rule clearly shows that NCUA is extending their reach further and further into the cyber security issue at all federally-insured (notice not just federally-chartered) credit unions.
Again, the effective date of this final rule is September 1, 2023. Through this Letter to Credit Unions, NCUA is following up on its stated intent to provide additional reporting guidance prior to the final rule going into effect.
Unfortunately, the Letter to Credit Unions is about as broadly defined as was the final rule itself. Basically, whether a cyber incident is sufficient to justify reporting to NCUA is a credit union by credit union and situation by situation call.
But the kicker is the emergence of the cyber security focus as a growing and key portion of all NCUA exams these days.
We have had very few of our credit union clients with exams so far this year that have not had some type of exam finding in the cyber/data security risk management area.
So this new regulation is one to watch and gain familiarity with. There is little doubt but that, in this current environment, there are going to be data and/or cyber issues that NCUA will ask about at exam time.
This new rule provides them with a bigger hammer in the event they want to hit a credit union for non-reporting. Our hope is that they do not take the approach that – because they have a hammer, everything is a nail.
Time will tell. In the meantime, study up on the rule and the Letter to Credit Unions so that you can determine – if there is an incident – your reporting responsibilities or the justification you can document as to why you did not feel the incident required reporting.
Incidentally, if you do not have a copy of the actual NCUA rule itself, the following link takes you to the final cyber incident reporting rule that goes into effect September 1.
Until next time.
Dennis Dollar