INCIDENT REPORTING: NCUA'S 72-HOUR RULE

National Credit Union Administration's (NCUA) recent policy on reporting Cyber Incidents went into effect September 1, 2023, and now requires all federally insured credit unions to notify a reportable cyber incident, or, if they have received a notification from a third party regarding a reportable cyber incident no later than 72 hours.

We had a hunch this rule would be coming soon after the FDIC implemented its new incident reporting requirements last year. This new rule aligns the NCUA's reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.

The rule defines "reportable" incidents as those in which a credit union "reasonably believes" that the integrity, confidentiality, or availability of information has been impacted.

The two key follow-up questions that our clients asked when this went into effect for banks, were what constitutes “reasonable belief” and what counts as an impact on availability? Is it any time that a system goes down?

As with most things, we believe that precedent will help clear up specifics around the new rule. To be safe, we have recommended that when there is sufficient evidence that confidentiality or integrity has been compromised, the NCUA should be notified. We recommend erroring on the side of caution and notifying them early in the process. The availability impact on data from a cyber breach is when a system is infected with ransomware, or an attacker has gained access and locked the organization out of the system. In short, the member’s data can’t be accessed. Here are some examples that qualify as Reportable Cyber Incidents provided by the NCUA

• Internal breach or data theft by an insider.
• A detected, unauthorized intrusion into a network information system.
• Sensitive data is exfiltrated outside of the federally insured credit union or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.
• Member information was compromised because of card skimming at a credit union’s ATM.

What does this mean for you and your incident response process? 

1. Update Your Plan:

   The first step we would recommend is performing a review of your incident response plan and updating it with the new requirements in the notification section. Ensure that you include a definition of when a report should be made and contact information for the agency.

2. Test Your Plan: 

   After the updates are made, schedule an incident response tabletop exercise. For the exercise, craft a cyber incident presentation using a scenario such as ransomware or business email compromise to walk through with the team. We recommend including all the key employees who are part of the incident response team and key decision-makers at the organization. It is important to get senior leadership buy-in so that everyone on the team takes the exercises seriously. The goal is to familiarize everyone with their roles, the process, where contact information is stored, and what tools might be needed.

3. Lessons Learned: 

   After the tabletop exercise, be sure to spend some time asking and answering questions of the team to ensure that everyone is clear on their responsibilities during an incident. We have seen a drastic difference in the response of organizations that are prepared vs. ones that just let the plan sit on the shelf.

How Can Rivial Help? 

We help our clients prep for incident response in multiple ways. If you don’t currently have an incident response policy or it is dated, feel free to download our general template below and customize it for your organization to get started.
 
General templates are great to get the ball rolling, however, as previous security consultants and auditors, we HIGHLY recommend incorporating an incident response plan that is dynamic to your organization's needs. Schedule a demo below to check out our versatile incident response feature built for multiple incident types! 

SCHEDULE A DEMO