NCUA Proposes Rule Requiring Cyber Incident Reporting
Commentary by Michael A. Kleinman
The National Credit Union Administration ("NCUA") proposed a rule to require reporting of certain cyber incidents.
The proposed rule would require federally insured credit unions ("FICUs") to confidentially report an incident to the NCUA no later than 72 hours after the credit union reasonably believes that it experienced a "reportable" cyber incident via phone, email or other manner.
An incident would be reportable if it causes:
- a substantial loss of confidentiality, integrity or availability of a network or member information system resulting from unauthorized access to or exposure of sensitive data, disruption of vital member services or has a serious impact on the safety and resiliency of operational systems and processes;
- a disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
- a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider or other third-party data hosting service provider or supply chain compromise.
The proposal includes several examples of events that would trigger the reporting requirements. These include, among others, (i) a computer hacking incident that disables a FICU's operations, (ii) a ransomware attack that encrypts a core banking system or backup data, and (iii) a third-party notification to a FICU that they have experienced a breach of an employee’s personally identifiable information. The NCUA clarified that a FICU would not be required to report network intrusions caused by good faith penetration tests and stated that blocked phishing attempts, failed attempts to gain access to systems, and unsuccessful malware attacks are not reportable incidents.
Comments on the proposal are due 60 days after its publication in the Federal Register.
Commentary
Although not listed as a recent NCUA priority, the proposal is unsurprising given last year's passage of the OCC, FDIC and Federal Reserve Board's computer-security incident notification rule (the "Bank Notification Rule") and the recent passage of the Cyber Incident Reporting for Critical Infrastructure Act ("CIRCIA"). The proposal borrows from each, although there are important differences that should be noted.
First, unlike the Bank Notification Rule, which requires bank service providers to report computer-security incidents up the chain to their clients, there is no requirement for credit union service organizations or other service providers to report cyber incidents up the chain to their credit unions clients. Accordingly, should the proposal pass in its current form (and absent the extension of NCUA supervisory authority over service providers under the Federal Credit Union Act), contractual terms setting breach notification deadlines will remain an area of critical focus for credit unions and their service providers.
Second, the proposed deadline for reporting cyber incidents to the NCUA is double the 36-hour time limit for reporting "notification incidents" to the OCC, FDIC, and Federal Reserve Board under the Bank Notification Rule. Moreover, "reportable incidents" under the proposal are those that are "substantial," while "notification incidents" are computer security incidents that are "material." The proposal's 72-hour deadline, as well as its use of the undefined "substantial" incident qualifier, were designed to be consistent with the deadlines and terms set forth in CIRCIA, which was passed after the Bank Notification Rule was adopted. The proposal seeks comments on whether the 72-hour (rather than the 36-hour) deadline and the undefined substantiality qualifier are appropriate.
Related Articles
-
The OCC, FDIC and Federal Reserve Board have each published guidance for banks and bank service providers to assist entities in meeting new regulatory obligations on information sharing for cybersecurity incidents impacting the U.S. banking system.
-
The OCC, FDIC and Federal Reserve Board adopted a final rule to improve information sharing regarding cyber incidents impacting the U.S. banking system.
-
The SEC proposed new disclosure requirements regarding cybersecurity risk management, governance, strategy, and incident reporting by public companies.
-
The SEC proposed cybersecurity risk management and reporting requirements that would be applicable to registered investment advisers, registered investment companies and business development companies. The SEC also proposed amendments to certain rules that govern investment adviser and fund disclosures.