NCUA Approves 72-Hour Cyber Incident Reporting Requirement for Credit Unions

The National Credit Union Administration (NCUA) has approved a final rule requiring federally chartered and federally insured credit unions to notify NCUA of a "reportable cyber incident" "as soon as possible and no later than 72 hours" after the credit union "reasonably believes" the incident has occurred. The final rule goes into effect on September 1, 2023.

The NCUA rule has some similarities to—and numerous differences from—the cyber incident notification rule for banking organizations and their service providers issued by the Federal Reserve, Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) in April 2022 (we discussed this rule in a webinar last year). The NCUA rule also is aligned in key respects to requirements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (discussed in our blog post here), in an effort to harmonize the rule with forthcoming cyber incident notification requirements from the Cybersecurity and Infrastructure Security Agency (CISA).

NCUA states in the final rule that it intends to issue additional reporting guidance, including examples of reportable and non-reportable incidents, prior to the final rule going into effect. Federally chartered and federally insured credit unions should review the final rule and any additional guidance from NCUA and make necessary adjustments to their incident response plans and security policies.

Overview of the NCUA 72-Hour Notification Rule

The final rule, which amends NCUA's regulations at 12 C.F.R. part 748, defines a "cyber incident" as "an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system."

A "reportable cyber incident"—one that must be reported to NCUA within 72 hours—means a "substantial cyber incident" leading to one or more of these outcomes:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system … that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services…, or has a serious impact on the safety and resiliency of operational systems and processes;
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; and/or
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise. [1]

Credit unions covered by the rule must notify NCUA of a reportable cyber incident "as soon as possible but no later than 72 hours." A credit union's obligation to notify NCUA begins to run once the credit union "reasonably believes that is has experienced a reportable cyber incident."

For reportable cyber incidents that occur at a service provider or other third party (pursuant to the third prong of the definition of reportable cyber incident above), credit unions must report with 72 hours of either reasonably believing that a reportable cyber incident has occurred or receiving notification from the third party—whichever is sooner. NCUA explains in the final rule that while credit unions often will not become aware of reportable incidents at a third party until being so notified by the third party, there may be cases where the credit union becomes aware prior to receiving third-party notification, such as where it observes that core third-party services have gone offline. NCUA also states that the final rule "does not permit [credit unions] to provide notice only after the [credit union] or the third-party have completed all their investigations…."

Credit unions must notify a designated NCUA point of contact of any reportable cyber incident and may do so by email, telephone or "other similar methods that the NCUA may prescribe." NCUA states that it will provide more detailed guidance on how to report incidents before the rules go into effect.

Analysis

Comparison to the Banking Regulators' Notification Rule. Both the NCUA notification rule and the banking regulators' notification rule are focused in significant part on operational disruption. Both require notification to regulators of incidents that—even in the absence of a breach of customer data—result in significant disruption to the financial institution's operations or member services. But the two rules also have significant differences, some obvious and some less so:

• The NCUA rule provides a longer notification deadline than the banking regulators' rule—72 hours as opposed to 36 hours. NCUA states in the final rule that it used a 72-hour deadline in part to align its rule to notification requirements for critical infrastructure operators (including those in financial services under CIRCIA and the forthcoming CISA regulations).
• The obligation to notify NCUA of a reportable incident begins once a credit union "reasonably believes" that such an incident has occurred. The "reasonably believes" standard also comes from CIRCIA. Under the banking regulators' rule, a banking organization or service provider is required to notify once it "determines" that a notifiable incident has occurred. Thus, while the NCUA rule provides a longer deadline for notification, credit unions might have to notify sooner in some cases than they would have to under the banking regulators' rule (i.e., where the credit union "reasonably believes" a reportable incident has occurred but has not yet confirmed whether it has). This could result in credit unions reporting potential incidents to NCUA that turn out not to be incidents after all.
• The banking regulators' rule applies directly to certain "bank service providers" (which are required to notify their banking organizations of certain incidents), as well as to banking organizations, whereas the NCUA rule applies only to covered credit unions themselves. The NCUA rule contains no explicit requirement that service providers notify credit unions, or even that credit unions require such notification in their third-party contracts. In fact, NCUA states that its final rule "does not impact existing contractual relationships" with service providers and contains "no requirement…that [credit unions] amend existing contracts to comply with the rule." Even so, it remains to be seen whether NCUA will seek to hold credit unions responsible for untimely reported incidents where agreements between credit unions and their service providers (or other third parties) contain no requirement that service providers notify credit unions of reportable incidents. Credit unions covered by NCUA rule should assess their ability to detect significant service outages or other incidents at their service providers (which could put them on notice of a reportable incident) and consider building cyber incident notification provisions into their third-party contracts to require that they be notified of incidents in a timely fashion.
• Based on the text of the two rules, it appears that the NCUA rule may require notification of a broader set of incidents. The banking regulators' rule only requires notification to regulators where an incident has resulted in "actual harm" to information or information systems and "has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade" material aspects of the banking organization's operations, resulting in "customers being unable to access their deposit and other accounts, or impact the stability of the financial sector."[2] In contrast, the NCUA rule contains no concept of materiality, and instead requires that reportable incidents be "substantial" and involve a "substantial" compromise of a network or a member information system, a "disruption" of certain business operations, or even a mere "unauthorized access to sensitive data" at a third-party service provider. The extent to which NCUA intended to include a broader set of incidents by using terms like "substantial" instead of "material" may only become clear over time.

Alignment with CIRCIA and CISA. NCUA states in its final rule that it deliberately aligned key aspects of the rule to CIRCIA in order to harmonize its notification requirement with the forthcoming requirements from CISA (CIRCIA directs CISA to issue cyber incident notification requirements for critical infrastructure operators using certain parameters required by the Act). As noted above, the NCUA deliberately incorporates CIRCIA's requirement that covered entities provide notification of a reportable incident not later than 72 hours after an entity "reasonably believes" that such an incident has occurred. This alignment will help credit unions navigate the forthcoming CISA notification regulations, to the extent they are covered by them. The NCUA rule also takes many of its definitions, such as those of "confidentiality," "integrity," "disruption," and "cyberattack" from National Institute of Standards of Technology (NIST) guidance, which will significantly inform CISA's rulemaking process.

Notably, the NCUA rule borrows some aspects of CIRCIA's definition of a "covered cyber incident" (one that will have to be reported to CISA): both rules require notification of certain incidents involving "substantial loss of confidentiality, integrity, or availability" of information systems or a network, "a serious impact on the safety and resiliency of operational systems and processes," a "disruption of business operations" resulting from cyberattacks or the exploitation of vulnerabilities, and a "disruption of business operations…facilitated through, or caused by, a compromise of a cloud service provider … or other third-party data hosting provider or by a supply chain compromise." On the other hand, the NCUA rule requires notification of various types of incidents not covered by CIRCIA, including certain incidents involving "unauthorized access to or exposure of sensitive data" at a credit union or a third party.

The NCUA rules differ from CIRCIA in some other key respects as well. The NCUA rule does not contain CIRCIA's separate 24-hour notification rule for ransomware payments and does not provide various confidentiality and liability protections for information reported to NCUA under the rule. Even so, NCUA states that information reported by credit unions under the rule will be treated confidentiality under NCUA regulations and exempt from the Freedom of Information Act (FOIA) under certain FOIA exemptions.[3]

Relation to Existing Cyber Requirements for Credit Unions

Credit unions covered by NCUA regulations already must comply with security requirements under the Interagency Guidelines adopted pursuant to the Gramm-Leach-Bliley Act (GLBA), codified at 12 C.F.R. Part 748, Appendices A and B.[4] Among other things, credit unions must maintain "response programs" to address unauthorized access to member information that include "[n]otifying the appropriate NCUA Regional Director … as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information as defined below." The final rule does not substantively amend this existing notification requirement, meaning that covered credit unions may need to report certain incidents under either or both the new notification rule and the existing requirements in the Interagency Guidelines.

***

DWT's Privacy and Security and Financial Services teams will continue to monitor developments with the NCUA cyber incident reporting rule, including any guidance issued by NCUA ahead of the rule's effective date.

[1] "Member information system" is defined in existing NCUA regulations issued under the Gramm-Leach-Bliley Act as "any method used to access, collect, store, use, transmit, protect, or dispose of member information." "Vital member services" is defined in existing regulations at 12 C.F.R. § 749.1 as "informational account inquiries, share withdrawals and deposits, and loan payments and disbursements." The NCUA notification rule contains new definitions of "compromise," "confidentiality," "cyberattack," "disruption," "integrity" and "sensitive data."

[2] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66,424, 66,425 (Nov. 23, 2021).

[3] NCUA's FOIA regulations are available at 12 C.F.R. part 792.

[4] Various financial services regulators maintain their own version of the Interagency Guidelines, pursuant to authority granted to those agencies under GLBA. For example, the Federal Reserve maintains its version at 12 C.F.R. Part 225, Appendix F, whereas the FDIC maintains its version at 12 C.F.R. Part 346, Appendix B.