NCUA New Incident Reporting Rule

The National Credit Union Administration (NCUA) has finalized a new rule that requires credit unions to inform the agency of any "reportable" cyber incident within 72 hours of the event occurring.

We had a hunch this rule would be coming soon after the FDIC implemented its new incident reporting requirements last year. This new rule aligns the NCUA's reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.

The rule, which will go into effect on September 1, 2023, defines "reportable" incidents as those in which a credit union "reasonably believes" that the integrity, confidentiality, or availability of information has been impacted.

The two key follow-up questions that our clients asked when this went into effect for banks, were what constitutes “reasonable belief” and what counts as an impact on availability? Is it any time that a system goes down?

As with most things, we believe that precedent will help clear up specifics around the new rule. To be safe, we have recommended that when there is sufficient evidence that confidentiality or integrity has been compromised, the NCUA should be notified. We recommend erroring on the side of caution and notifying them early in the process. The availability impact on data from a cyber breach is when a system is infected with ransomware, or an attacker has gained access and locked the organization out of the system. In short, the member’s data can’t be accessed.  

What does this mean for you and your incident response process? 

Update Your Plan 

The first step we would recommend is performing a review of your incident response plan and updating it with the new requirements in the notification section. Ensure that you include a definition of when a report should be made and contact information for the agency.

Test Your Plan 

After the updates are made, schedule an incident response tabletop exercise. For the exercise, craft a cyber incident presentation using a scenario such as ransomware or business email compromise to walk through with the team. We recommend including all the key employees who are part of the incident response team and key decision-makers at the organization. It is important to get senior leadership buy-in so that everyone on the team takes the exercises seriously. The goal is to familiarize everyone with their roles, the process, where contact information is stored, and what tools might be needed.

Lessons Learned 

After the tabletop exercise, be sure to spend some time asking and answering questions of the team to ensure that everyone is clear on their responsibilities during an incident. We have seen a drastic difference in the response of organizations that are prepared vs. ones that just let the plan sit on the shelf.

How Can Rivial Help? 

We help our clients prep for incident response in multiple ways. If you don’t currently have an incident response policy or it is dated, feel free to download our template below and customize it for your organization to get started.

If you want to take it to the next level, we have automated the incident response plan and process in our software and included playbooks for multiple incident types. Schedule a demo below to test it out!

Finally, we perform tabletop exercises for our clients each year. We can craft a scenario specific to your incident response maturity and plan and walk your team through it!

If you have any questions on the new NCUA reporting rules, don’t hesitate to reach out!