NCUA’s Updated Rules Regarding Cyber Incidents
The National Credit Union Administration (NCUA) has recently updated its rules regarding how credit unions should report cyber incidents. These changes are aimed at strengthening the defenses of credit unions against cyber threats. Here’s a more detailed look at these new regulations, including examples of reportable incidents and how to ensure compliance.
A “cyber incident” is an event that jeopardizes the security, integrity, or confidentiality of digital systems or the data they contain. This can encompass a wide range of scenarios, from cyberattacks by malicious hackers to system malfunctions or even physical disasters that affect IT infrastructure.
What are the New Regulations?
The NCUA now requires credit unions to report significant cyber incidents to the NCUA and their members within 72 hours of discovery. This is a significant reduction from the previous requirement of 120 hours. Furthermore, if a cyber incident has the potential to materially disrupt the credit union’s operations or services, the credit union must notify affected members and the NCUA.
A “major cyber incident” is defined as one that:
- Significantly disrupts the credit union’s operations or member services.
- Results in unauthorized access to sensitive member information.
- Incurs substantial monetary loss for the credit union.
Moreover, the new regulations mandate that credit unions must have a cyber incident response plan in place. This plan should delineate procedures for identifying, assessing, mitigating, and recovering from cyber incidents.
What Incidents Should Be Reported?
Here are some examples of reportable incidents:
- Unauthorized access to sensitive member information.
- Cyberattacks that significantly disrupt the credit union’s operations or member services.
- Ransomware attacks that encrypt critical data and demand payment for its decryption.
- Phishing attacks that successfully obtain member or employee data.
What Incidents Don’t Need to Be Reported?
Here are some examples that don’t require reporting:
- Minor system glitches that are promptly resolved and do not impact operations.
- Failed login attempts that do not result in unauthorized access.
- Spam emails that are successfully filtered out by the credit union’s email system.
How to Comply With the New Regulations?
Compliance with these new regulations begins with a thorough review and update of existing cyber incident response plans. These plans should be comprehensive, outlining procedures for detecting, responding to, and recovering from cyber incidents.
Credit unions should also ensure they have strong systems in place for detecting and reporting cyber incidents. This involves investing in cybersecurity technology and training staff to recognize and respond to potential threats.
Consulting with a cybersecurity expert can also be beneficial. These professionals can provide valuable advice and guidance on complying with the new regulations and defending against cyber threats.
The Bottom Line Is
The NCUA’s new cyber incident reporting rules aim to enhance the security measures that protect credit unions and their members from cyber threats. By understanding and complying with these new rules, credit unions can ensure they are taking the necessary precautions to safeguard their systems and member information.
For a comprehensive understanding, refer to the original NCUA letter here.
If You Need Help with Compliance
Let’s discuss if working with Intech Hawaii is the right MSP for your Credit Union. We are leaders in the industry and can help you manage and secure your network with our ARMOR IT, ARMOR Cybersecurity and ARMOR Compliance services.