Credit Unions on a 72-Hour Clock with Proposed NCUA Cyber Incident Rule
By Roy Urrico
On July 21, 2022, the National Credit Union Administration (NCUA) Board approved a proposed rule that would require federally insured credit unions (FICUs) to notify the NCUA as soon as possible but no later than 72 hours after they reasonably believe that a reportable cyber incident has occurred.
In announcing the proposed mandate, the NCUA cited the financial industry's vulnerability to ransomware and other cyberattacks. “NCUA Board approval for issuing the proposed rule before us today is a critical step to increasing cybersecurity awareness and protection within the financial system,” Chairman Todd M. Harper said. “Federally insured credit unions are not only the system’s first line of defense, but they are also the NCUA’s eyes and ears. When credit unions report these types of incidents, they may very well be helping to keep our nation secure from similar cyberattacks elsewhere.”
Under the proposed rule, a FICU must report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.
Although earlier this year, Congress and President Joe Biden also sought to require operators of critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, that directive’s particulars may not receive full approval until 2024.
Therefore, the NCUA did not want to wait. Instead, the organization stated, “The Board believes that it would be imprudent in light of the increasing frequency and severity of cyber incidents to postpone a notification requirement until after CISA promulgates a final rule.”
The NCUA asked for industry comment (by Sept. 26, 2022), including on whether the proposed rule should shorten the 72-hour window for incident reporting to the banking standard of 36 hours. The NCUA also asked whether it should follow the new critical infrastructure reporting law's lead and mandate a shorter, 24-hour reporting window for ransomware attacks.
The NCUA Board in its presentation of the proposed rule cited “systemic risk from third-party vendors and credit union service organizations (CUSO) as a significant concern given that credit unions rely on many of the same third-party vendors.”
In addition, the NCUA rule proposal noted, “As of March 30, 2022, the top five credit union core processing system third-party vendors provided service to credit unions holding approximately 87% of total credit union system assets. Likewise, at the end of 2021, the top five CUSOs provided service to credit unions that hold approximately 95% of total credit union system assets. Significant problems or a failure with a critical vendor or CUSO has the potential to result in disruption, including losses, to many credit unions and, in turn, pose risk to the National Credit Union Share Insurance Fund (NCUSIF) and national economic security given the amount and type of data held and processed, as well as the number of Americans who use credit unions for financial services.”
Consequently, under the new rule, pointed out the NCUA, when a FICU receives an alert to a cyber incident caused by a third party, which impacts the FICU’s sensitive data or business operations, it must report the incident to the NCUA as soon as possible.
On the other hand, “A FICU would not be required to report an incident performed in good faith by an entity in response to a request by the owner or operator of the information system.” An example of an incident excluded from reporting would be the contracting of a third party to conduct a penetration test.
The NCUA included a non-exhaustive list of incidents considered reportable cyber incidents under the proposed rule:
1. A computer hacking that disables a FICU’s operations.
2. A ransom malware attack that encrypts a core banking system or backup data.
3. Third-party notification to a FICU that they have experienced a breach of an employee’s personally identifiable information (PII).
4. A detected, unauthorized intrusion into a network information system.
5. Discovery or identification of zero-day malware — a cyberattack that exploits a previously unknown hardware, firmware, or software vulnerability — in a network or information system.
6. Internal breach or data theft by an insider.
7. A systems compromise resulting from card skimming.
8. Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.
Reaction from Information Security Experts
A couple of information security specialists provided Finopotamus with respective takes on the proposed NCUA rule.
Al Pascual, senior vice president, enterprise risk solutions for Sontiq, a TransUnion company, said, “These kinds of changes are incredibly important when you consider that the threat landscape is changing. With the digital footprint of the credit union community growing considerably through the pandemic (creating a much larger attack surface), this is not a minor change.”
Pascual noted the proposed rule clearly raises the bar for credit unions to report cyber incidents. “Previously, credit unions had significantly more latitude – with some events covered by this rule change, such as those compromising credit union data (but not necessarily member data), completely excluded in the past.” Pascual added a ransomware attack, for example, which affects operational data, may not have triggered a notification in the past. “The rule does not ask for much detail, which helps limit the compliance burden.”
Pascual also noted, “Credit unions need to notify the NCUA when a qualifying event affected a third-party provider within 72 hours of learning of it from the provider (not from when it occurred).” He added, “To be fair, it will take any credit union some time to digest and subsequently report a qualifying third-party event. However, given the significant (and growing) dependencies credit unions have on third-party technology companies (think cloud service providers, which can even include core banking), timely reporting by third-party providers is going to be crucial for identifying events that could impact wide swaths of the credit union community.”
Tom Tovar, CEO and co-creator of Appdome, pointed out "The new NCUA rule is part of a larger trend where governmental and regulatory bodies are requiring faster, more thorough reporting to customers and others affected by cyber incidents that expose sensitive information. So, it is more important than ever for credit unions to get ahead of the trend to stop these kinds of attacks before they occur by implementing systems that can show what cyberattacks are occurring and then rapidly address them, with the documentation to demonstrate compliance.”
Tovar added it is critical that credit unions not overlook mobile apps. “Hackers certainly have not, because they are an increasingly common vector for cyberattack. Development teams need real-time information on attacks and an automated way to protect against them in the next build."