New Cyber Incident Notification Requirements for Credit Unions
In an effort to help the NCUA identify and better respond to cyber threats against credit unions and their members, there will be new rules and requirements for credit unions to report cyber incidents. These requirements in the final new cyber incident rule will require that credit unions report these incidents immediately.
Under the new rules, credit unions must report any cyber incident that meets the definition of a “reportable cyber incident.”
“The Cyber Incident Notification Requirements rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”
NCUA.gov
A reportable cyber incident is one that:
- Leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system.
- Results from the unauthorized access to or exposure of sensitive data.
- Disrupts vital member services.
- Has a severe impact on the safety and resiliency of operational systems and processes.
Credit unions must report reportable cyber incidents to the NCUA as soon as possible, and no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident. The report must include the following information:
- The name and credit union charter number of the credit union.
- Name and title of the individual reporting the incident
- Telephone number and email address
- The date and time of the incident.
- A brief description of the incident.
- The impact of the incident on the credit union’s operations and members.
- The steps that the credit union has taken to respond to the incident.
If the NCUA believes they will need any other information they will then contact the credit union directly. The NCUA will use the information that credit unions provide to assess the risk posed by cyber threats and to develop appropriate mitigation strategies. The NCUA may also share this information with other federal agencies and law enforcement.
The new cyber incident notification requirements are an essential step in helping to protect credit unions and their members from cyber threats. By reporting incidents promptly, credit unions can help the NCUA to identify and respond to threats more quickly and effectively.
Here are some additional tips for credit unions to help them comply with the new cyber incident notification requirements:
- Review your incident response plan and ensure it includes procedures for identifying and reporting reportable cyber incidents.
- Train your employees on the importance of reporting cyber incidents and the consequences of non-compliance.
- Monitor your systems and networks for signs of malicious activity.
- Keep your software up to date with the latest security patches.
- Use strong passwords and multi-factor authentication.
- Be aware of the latest cyber threats and how to protect yourself from them.
By following these tips, credit unions can help to protect themselves from cyber threats and comply with the new cyber incident notification requirements.
For more information, please visit the NCUA’s website at www.ncua.gov/cybersecurity.
Oak Tree is always keeping an eye on the legal landscape in the United States to ensure our clients are compliant with their forms and documents.
