Earlier this year, the National Credit Union Association (NCUA) passed a Final Rule imposing certain breach notification requirements on federally-insured credit unions. This article responds to frequently asked questions related to this Final Rule.

When is the Final Rule effective?

The effective date of the Cyber Incident Notification Requirements for Federally Insured Credit Unions Final Rule is September 1, 2023.

Who must comply with the Final Rule?

Federally-insured Credit Unions, including federally chartered credit unions and state-chartered credit unions that are federally insured, federally chartered corporate credit unions and federally insured, state-chartered corporate credit unions (“FICUs”).

What are the notification requirements?

A FICU is required to notify the NCUA (incident via email, telephone, or other similar methods that the NCUA may prescribe) as soon as possible but no later than 72 hours after (i) a FICU reasonably believes that a “reportable cyber incident” has occurred, or (ii) being notified by a third-party that a “reportable cyber incident” has occurred, whichever is sooner.

What is a “Reportable Cyber Incident”?

A “cyber incident” is an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.

A “reportable cyber incident” is any substantial cyber incident that leads to one or more of the following:

1. A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
2. A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
3. A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

What are examples of a “Reportable Cyber Incident”?

The following is a non-exhaustive list of incidents that would be considered reportable cyber incidents under the Final Rule:

1. A computer hacking incident that disables a FICU’s operations.
2. A ransom malware attack that encrypts a core banking system or backup data.
3. Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information (PII).
4. A detected, unauthorized intrusion into a network information system.
5. Discovery or identification of zero-day malware in a network or information system.
6. Internal breach or data theft by an insider.
7. Member information compromised as a result of card skimming at a credit union’s ATM.
8. Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.

What should notification of a “reportable cyber incident” include?

The Final Rule does not include any prescribed reporting forms or templates.

In the Final Rule, the NCUA stated it will require only certain basic information, to the extent it is known to the FICU at the time of reporting, such as:

• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been, affected.
• The estimated date range during which the reportable cyber incident took place.
• Where applicable, a description of the exploited vulnerabilities and the techniques used to perpetrate the reportable cyber incident.
• Any identifying or contact information of the actor(s) reasonably believed to be responsible.
• The impact to the FICU’s operations.

In an August 2023 NCUA Letter to Credit Unions, the NCUA provided additional guidance that the notification should also include: (i) the credit union name; (ii) the credit union charter number; (iii) the name and title of individual reporting the incident; (iv) telephone number and email address. As well as informed credit unions of two methods (via telephone or secure email) that may be used to provide such notice to the NCUA.

Are there any exceptions to notification?

Notification is not required under this Final Rule for any event where the cyber incident is performed in good faith by or on behalf of the owner or operator of the information system (ie. The FICU and/or an authorized third party conducting a penetration test).

Notification is not required for any “cyber incident” that does not rise to the level of a “reportable cyber incident.”

Are there any requirements on third party service providers?

There are no direct requirements placed on third party service providers by this Final Rule. Additionally, the Final Rule has no impact on contractual requirements, so FICUs are not required to amend contracts that may be in place with third party service providers in order to comply with the reporting requirements of this Final Rule.

A FICU is simply require to notify the NCUA no later than 72 hours after (i) a FICU reasonably believes that a “reportable cyber incident” has occurred, or (ii) being notified by a third-party that a “reportable cyber incident” has occurred.

Contact us for more information.

Baldini Lang LLC has extensive experience assisting clients in building compliance programs and policies to meet their legal requirements and establish best practice standards. Contact us for more information.