Shifting guidelines around cybersecurity, like those recently codified by the Securities and Exchange Commission (SEC) and the New York Department of Financial Services' (NYDFS) are continuing to take root throughout the financial industry.

Going forward, one element that especially seems to be gaining traction is firming up how long organizations have to report a cybersecurity incident.

One group, the National Credit Union Administration (NCUA) - a government-backed insurer of credit unions in the U.S. - announced last month that it will soon ask all federally insured credit unions (FICU) to disclose if they experience what the organization deems a reportable cyber incident within 72 hours.

Approved unanimously on February 16, the new rule amends Part 748 of NCUA's regulations, and brings the NCUA’s reporting requirements closer in line with federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA.

Federal regulators including the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Treasury Department’s Office of the Comptroller of the Currency (OCC) asked covered banks and providers to adhere to a more stringent 36-hour breach notification timeframe in 2022. That banking rule went into effect April 1, 2022; banks had to begin complying by May 1.

Under CIRCIA, the Cybersecurity & Infrastructure Security Agency (CISA) will develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity believes the incident occurred.

While NCUA claims it will offer more information about the rule change in the lead up to the date it becomes effective, credit unions (and their IT teams) may have questions about how it will affect them moving forward.

What is Part 748 of the NCUA Rules and Regulations?

The Gramm-Leach-Bliley Act (GLBA) requires the NCUA to establish standards for federally-insured credit unions around administrative, technical, and physical safeguards for member records and information. Under Part 748, each credit union needs to develop a written security program that has safeguards in place designed to protect the security and confidentiality of data, and keep it safe from threats or unauthorized access.

What Constitutes a Reportable Cyber Incident Under the Rule?

In short, the NCUA defines a reportable cyber incident as any incident that impacts the confidentiality, integrity, or availability (CIA) of a network or member information system, exposes sensitive data, or disrupts a credit union's business operations.

The full, in depth definition of a reportable cyber incident, refers to “any substantial cyber incident that leads to one of more of the following:

1. A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this
part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.

2. A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.

3. A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise

What do credit unions have to do under the new rule?

Judging from the NCUA's text on the finale rule, FICUs only need to alert the NCUA through their designated point of contact, whether it's via email, phone, or other methods in the event of a reportable cyber incident. FICUs will not be expected to provide a full incident assessment to the NCUA within the 72-hour time frame.

No other specific reporting guidance was outlined by NCUA, although it claims it will be rolling out further instructions prior to the rule's go-live date.

When it was first published in the Federal Register back in July, the proposed rule suggested credit unions include the date and a basic description of the incident, affected functions, exploited vulnerabilities, and/or any known information regarding the threat actor.

Once it has the preliminary information, any further communication between the agency and the FICU will "occur through the supervisory process, as necessary," according to the NCUA.

NCUA Chairman Todd M. Harper clarified last month that having that early intel will allow it to work with other agencies and the private sector to respond to cyber threats before "they become systemic and threaten the broader financial services sector."

When Does the New Rule Go Into Effect?

Credit unions will have until September 1, 2023 to get ready to comply with the new rule. The NCUA claims it will provide additional reporting guidance prior to the final rule going into effect.