In today’s digital landscape, the importance of cybersecurity cannot be overstated as businesses of all sizes are susceptible to cyber threats. Credit Unions are an attractive target for cyber threat actors due to the valuable financial data they hold, limited cybersecurity resources, and their interconnected digital infrastructure.
To ensure the safety of your Credit Union and customer data, on September 1, 2023, the National Credit Union Administration (NCUA) introduced new Cyber Incident Notification Requirements for federally insured credit unions. As a Managed Security Services provider in Hawaii, we wanted to help demystify the new requirements by providing a concise summary to help you understand the key points and provide actionable steps for you to help protect your organization to hopefully, prevent cyberattacks.
Here is a summary of the key points of the new requirements that you should be aware of so that you can prepare accordingly in the unfortunate event that you fall victim to a cyber threat.
WHAT IS A CYBER INCIDENT:
The NCUA “Cyber Incident Notification Requirements rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”
WHAT IS CONSIDERED A REPORTABLE CYBER INCIDENT?
The NCUA define three ‘prongs’ for reportable incidents:
- Substantial Loss of Confidentiality, Integrity, or Availability: Reportable incidents include those that lead to a substantial loss of confidentiality, integrity, or availability of member information systems due to unauthorized access, exposure of sensitive data, disruption of vital member services, or impacts on the safety and operational resiliency. For example, if a credit union is aware of data that has been accessed by or exposed to unauthorized persons, this is considered reportable.
- Disruption of Business Operations, Member Services, or Information Systems: Cyber incidents that disrupt business operations, vital member services, or member information systems are also reportable. This includes incidents like distributed denial of service (DDoS) attacks that result in substantial system outages. Unsuccessful phishing attempts or blocked malware threats would not be considered reportable.
- Compromised by Third-Party Providers: When a third-party service provider informs the credit union of a compromise to sensitive data or disruption to business operations, or when the credit union reasonably believes this has occurred, they must report the incident. However, incidents performed in good faith by a third party in response to specific requests by the system owners or operators are excluded from reporting.
WHEN ARE CREDIT UNIONS REQUIRED TO REPORT CYBER INCIDENTS TO NCUA?
Incidents must be reported to the NCUA as soon as possible, and no later than 72 hours after forming a reasonable belief that a reportable cyber incident occurred.
HOW TO REPORT AN INCIDENT:
Credit unions can report incidents by calling 1.833.CYBERCU (1.833.292.3728) and leave a voicemail or establishing contact through the National Credit Union Administration Secure Email Message Center.
WHAT INFORMATION TO INCLUDE IN YOUR REPORT:
When reporting, credit unions should provide details such as:
- Credit Union Name
- Charter number
- Contact information
- Incident’s timeline (when incident happened), and;
- Basic description of the incident and what functions or sensitive data was affected.
Sensitive information, indicators of compromise, specific vulnerabilities, or email attachments should not be sent during initial notifications.
STAYING AHEAD OF CYBER THREATS
It’s not all doom and gloom when it comes to fortifying your Credit Union’s cyber defenses. Here are a few proven tips to help your organization stay vigilant against cyber threats and to support the NCUA’s new incident reporting requirements.
ENSURE SYSTEMS ARE PROTECTED, MONITORED, AND BACKED UP
- Conduct regular vulnerability assessments, penetration testing, and security audits to identify and address weaknesses in the network.
- Implement robust network monitoring tools to detect unusual or suspicious activities.
- Establish secure data backups and recovery processes to ensure minimal data loss and downtime in case of an incident.
DEVELOP/MAINTAIN A CYBER REPONSE PLAN
Develop and maintain your incident response plan to align with the new NCUA reporting requirements, including timeframes and procedures. Ensure your plan includes clear guidelines for identifying reportable incidents and escalation procedures. Regularly monitor and review your incident reporting process and conduct tests and exercises to evaluate its efficiency and make necessary improvements.
SECURITY AWARENESS TRAINING
Your employees are your first line of defense against cyber threats. Provide cybersecurity training to employees, emphasizing the importance of reporting incidents and their role in the process. As a value add to your membership, it is critical to arm them with awareness of security practices, sharing information related to protecting their accounts/data would also be helpful.
DOCUMENT ALL INCIDENTS
Document all cyber incidents, not just reportable ones, to support future incident response trending and reporting efforts. Document indicators of compromise, network information, attack vectors, exfiltrated data, and forensic reports about the incident.
MONITOR LEGAL AND REGULATORY CHANGES
Stay informed about evolving cybersecurity regulations and compliance requirements to ensure adherence.
COLLABORATE WITH YOUR THIRD-PARTY SERVICE PROVIDERS
Ensure third-party service providers follow strong cybersecurity practices and have a clear incident response plan in place. Examine contracts with critical service providers to verify if they require timely notification of cyber incidents.
MAINTAIN CYBER INSURANCE
Consider obtaining cyber insurance to mitigate the financial impact of an incident.
COLLABORATE WITH A CYBERSECURITY PARTNER TO EVALUATE YOUR EXISTING SECURITY MEASURES
Partnering with a trusted Cybersecurity Expert can offer you valuable insights and a thorough assessment of your current security measures, helping you gauge your resilience against cyber threats.
If you are currently without a Security Service provider, consider reaching out to our Hawaii-based Cybersecurity Specialists at Cyberuptive. We are pleased to provide a complimentary assessment of your security posture. Visit our website at www.cyberuptive.com to arrange your review and ensure peace of mind with the knowledge that your cyber safety is in good hands.
In an era where cyber threats are ever-present, your vigilance and preparedness can make all the difference in safeguarding your credit union and its members. Together, we can navigate these challenges successfully.
For more information or to book your complementary cybersecurity assessment:
For more details about the NCUA’s requirements visit: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/cyber-incident-notification-requirements