By Jason Sharabani, Senior Manager, Internal Audit & Compliance

 

In June of 2023, the NCUA released their annual Cybersecurity & Credit Union System Resilience Report.  The report is presented to the Committee on Financial Services of the House of Representatives and to the Committee on Banking, Housing, and Urban Affairs of the Senate on Cybersecurity and Credit Union System Resilience. It provides an explanation of the measures taken to strengthen cybersecurity within the federally insured credit union system and the NCUA, however it is also recommended to be adopted by other chartered credit unions (wink wink).

 

The Cybersecurity & Credit Union Resilience Report is required by the Consolidated Appropriations Act, 2021 and provides:

  • Information on the policies and procedures to address cybersecurity risks
  • Activities to ensure effective implementation
  • Current or emerging threats

NCUA Chairman Todd M. Harper said, “The actions outlined in this comprehensive report demonstrate the NCUA’s commitment to promoting a secure and resilient environment for credit unions and their members”. He went on to say, “Recent agency efforts to address cybersecurity risks, including implementation of the scalable Information Security Examination procedures at credit unions, training and support programs, and the cyber incident notification rule, are described in the report. Additionally, the report to Congress details the significant risks and challenges facing the credit union system and the financial system because of the NCUA’s lack of authority over third-party vendors. I continue to call on Congress to close this growing regulatory blind spot.”

The report does address this “blindspot,” referencing the NCUA Cyber Incident Notification Requirements approved in February 2023[1]. This rule requires federally insured credit unions to report a cyber incident within 72 hours after the credit union believes it has experienced a reportable cyber incident. A quick reference guide was created to facilitate incident reporting, here is a link: Cyber incident reporting quick reference guide.

 

This rule officially went into effect September 1, 2023, and to further instruct credit unions on what is reportable versus what is not, the NCUA released two appendixes on what is reportable (Appendix A) versus what would not qualify as a reportable cyber incident (Appendix B). But the biggest question is what does “substantial” mean?

The NCUA says that “substantial” depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration. The NCUA expects a credit union to exercise reasonable judgment in determining whether it experienced a substantial cyber incident that is reportable to the agency. If a federally insured credit union is unsure as to whether a cyber incident is reportable, it should contact the NCUA as soon as possible.

 

Credit unions should complete the following steps when implementing the rule:

  • Update response plan
  • Review contracts
  • Train employees
  • Monitor and review cyber incident reporting process to validate its effectiveness
  • Document all incidents including:
    • Indicator of compromise
    • Network information or traffic regarding the attack
    • The attack vector
    • Information on any exfiltrated data
    • Any forensic or other reports about the reportable cyber incident

 

While the reporting requirements are still a work in process, and the NCUA will re-evaluate them annually, all credit unions are encouraged to continuously review and enhance cybersecurity and improve incident response capabilities.