NCUA Proposed Rule
At its recent board meeting, the National Credit Union Administration (NCUA) issued a proposed rule regarding cyber incident notification requirements, which can be found here.
This proposed rule has a 60-day comment period and would apply to federally insured credit unions.
The discussion of the proposed rule explains, “given the frequency and severity of cyber incidents within the financial services industry, the National Credit Union Administration Board (Board) believes it is important that the National Credit Union Administration (NCUA or agency) be notified of cyber incidents that disrupt a federally insured credit union’s (FICU) operations, lead to unauthorized access to sensitive data, or disrupt members’ access to accounts or services.”
Part 748 is proposed to be amended by adding new subsection (c)Cyber Incident Report. Under this new provision, “Each federally insured credit union must notify the appropriate NCUA-designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA must receive this notification as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or, if reporting pursuant to section (c)(1)(iii), within 72 hours of being notified by a third party, whichever is sooner.”
The proposed rule further explains what a “reportable cyber incident” may involve, including: “A reportable cyber incident is any substantial cyber incident that leads to one or more of the following: (i) A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in App. A (I)(B)(2)(e) that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1, or has a serious impact on the safety and resiliency of operational systems and processes. (ii) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities. (iii) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”
Several definitions are proposed to clarify the notification requirement, including definitions for compromise, confidentiality, cyberattack, cyber incident, disruption, integrity, and sensitive date.
The preamble to the proposed rule explains that the NCUA expects a FICU to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency. Under this proposal, if a FICU is unsure as to whether a cyber incident is reportable, the Board encourages the FICU to contact the agency.
Reminder - NCUA Regulatory Review Comments Wanted
Every year the NCUA reviews one-third of its existing regulations. Comments are due August 16, 2022. As explained by the NCUA – “The NCUA’s goal is to ensure that all of our regulations are clearly articulated and easily understood. Comments are welcome on that aspect, as well as substantive suggestions for regulatory changes.”
The entire list of regulations under review this summer can be found here, but it includes regulations relating to FCU bylaws, FCU chartering and field of membership manual, loans to members and lines of credit to members, services for nonmembers within field of membership, truth in savings, mergers of insured credit unions into other credit unions.
If you have any thoughts or suggestions on potential improvements or changes, please submit them either directly to NCUA or feel free to send your thoughts to me and I will incorporate them into our comment letter.
Compliance Solution – RecoveryPro
It pays to prepare for the worst. RecoveryPro can help!
Disruption or loss of access to core business functions can have severe consequences for credit unions and their members. Business continuity planning does not question the odds of a disruption happening, but looks at the impact these disruptions may cause, then makes plans and preparations accordingly.
RecoveryPro guides credit unions through the creation, maintenance, and testing of robust business continuity plans (BCPs). Templates and sample content lead the credit union through the collection and presentation of data, and a full content management system provides a secure online platform for management and staff to access the BCP for review and testing, or in the event of a disaster or work stoppage event.
The content in RecoveryPro is based on FFIEC guidance. It was developed with the help of a 20+ year Business Continuity veteran and has been fully vetted with multiple State and NCUA auditors.
Credit unions will be able to easily navigate the system, which utilizes technology similar to CU PolicyPro. The CU Solutions Group staff is available to assist with technical support, questions related to content, or general best practices and tips for developing and managing the credit union's BCP.
Learn more about RecoveryPro here. If you are more of visual learner, there is also an overview video.
As always, DakCU members may contact Amy Kleinschmit with any compliance related concerns.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?