On August 14, 2023, the National Credit Union Administration (“NCUA”) issued guidelines for Federally Insured Credit Unions (“FICU”) on submitting cyber incident notifications to the NCUA under the Cyber Incident Notification Requirements Rule (“Rule”). This Rule will take effect on September 1, 2023.
The new guidelines are relevant for credit unions that are protected by the National Credit Union Share Insurance Fund, with deposits insured up to at list 250,000$ per individual depositor.
According to the Rule, cyber incident is defined as “an occurrence that illegally jeopardizes or threatens the integrity, confidentiality, or availability of an information system or the data contained in an information system”. The new NCUA guidelines has highlighted that according to the Rule a reportable cyber incident is a substantial incident that leads to one of the following:
- a significant loss of confidentiality, integrity, or availability of a network or information system caused by unauthorized access to or exposure of sensitive data, that disrupts vital services, or impacts the safety of operational systems and processes;
- disruption of business operations, vital services, or information systems resulting from a cyberattack; or
- disruption of business operations or unauthorized access to sensitive data caused by a compromise of a FICU, cloud service provider, or other third-party service provider.
The NCUA advised to FICU to consider various factors when assessing whether an incident is ‘substantial’, including the size of the FICU, the type and impact of the loss, and the duration of the incident. Please read HERE examples of substantial incidents that likely would qualify as reportable cyber incidents, and HERE for examples of those who will likely not.
The NCUA has further explained that a reportable cyber incident excludes incidents performed in response to a request by the owner or operators of the system, such as a penetration test.
The guidelines state that the Rule requires a FICU that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU becomes aware of the cyber incident.
As for the structural requirements, the guidelines instruct that when reporting a cyber incident, a FICU should provide details including: (1) the name of the FICU and its charter number; (2) the name and contact details of the person reporting the incident; (3) when the FICU became aware that a reportable cyber incident took place; and (4) a description of the incident, its impact, and if sensitive information was compromised.
However, the NCAU stated that FICUs should refrain from including sensitive personally identifiable information, indicators of compromise, specific vulnerabilities, or email attachments in their cyber incident reports.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.