US Credit Unions to Come Under Cyber Incident Reporting RuleProposed Rule Asks for Incident Data From Third-Party Data Processors
U.S. federal credit union regulators plan to impose new cybersecurity incident reporting requirements, including a duty to relay reports of cyber incidents experienced by third-party vendors.
The National Credit Union Administration announced the mandate in a proposed rule that cites the financial industry's vulnerability to ransomware and other cyberattacks. The NCUA board approved the proposed rule during an open meeting on July 21.
Credit unions are "the NCUA's eyes and ears," said board Chairman Todd Harper. The government deposit insurer is accepting comments through late September.
The proposed regulation would require federally charted credit unions to report within 72 hours any incident that leads to the "substantial loss" of confidentiality, integrity or availability of member information. A cyberattack causing a disruption of business operations would also come under the umbrella of reportable events. So would the compromise of sensitive data or business operations resulting from an incident experienced by a third-party service provider.
Regulators say the need for vendor incident reports stems from the coupling between credit unions and technology services that store and process vast amounts of member data. Those service providers are tightly concentrated, as well.
Just five deposit, payment and data processing service companies dominate the credit union market. At the end of 2021, those five companies processed about 95% credit union-held assets.
Cybersecurity risk from credit union service organizations "is a significant concern given that credit unions rely on many of the same third-party vendors," the NCUA says.
American banks are already obligated to report cyber incidents to regulators within 36 hours (see: Regulators: Banks Have 36 Hours to Report Cyber Incidents).
Congress and President Joe Biden earlier this year also required operators of critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours, but the details of that reporting mandate may not be finalized until 2024.
Credit union regulators say they're not waiting, calling it "imprudent in light of the increasing frequency and severity of cyber incidents to postpone a notification requirement until after CISA promulgates a final rule."
Although the NCUA says it's going ahead with a reporting requirement, it asks for industry comment, including on whether the proposed 72-hour window for incident reporting should be shortened to the banking standard of 36 hours.
It also asks whether it should follow the new critical infrastructure reporting law's lead and mandate a shorter, 24-hour reporting window for ransomware attacks.
Trade association National Association of Federally-Insured Credit Unions says in a statement that the NCUA already requires federally insured credit unions to already notify regulators “as soon as possible” when they detect an incident involving unauthorized access to sensitive member information.*
“NAFCU supports efforts to harmonize cybersecurity standards; however, federal regulators, including the NCUA, must ensure that administrative compliance complements, rather than distracts, from core IT security activities," senior counsel Andrew Morris says in a statement to Information Security Media Group.
*Update July 26, 2022 21:40 UTC: Adds comment from the National Association of Federally-Insured Credit Unions.