Proposed 72-Hour Cyber Incident Reporting Deadline for Credit Unions
The US agency that oversees credit unions on Wednesday proposed a 72-hour deadline for regulated companies to report cyberattacks.
Notification of a cyberattack would only involve the National Credit Union Administration (NCUA) and would not require credit unions to provide a detailed assessment of the incident to the organization within 72 hours.
The report would include a basic description of the cyberattack, what functions are affected, the date of the incident, what vulnerabilities may have been exploited or what tools were used, and any contact information of the hacker.
The rule proposed by the NCUA Board of Directors will receive comments and comments until September 26 and then decide whether or not to apply it.
“While the Board is proposing a 72-hour time limit, depending on comments received during the comment period and the agency’s analysis of the need for faster reporting, the final rule may provide for a shorter time limit. , such as 36 hours as the Federal banking agencies require it,” the board added, noting that the report “would be subject to NCUA confidentiality rules.”
The board said it was pushing the new regulations “due to the increased frequency and severity of cyberattacks on the financial services industry.”
The board and administration behind the NCUA have raised concerns about not only cyberattacks that disrupt operations, but also incidents that lead to unauthorized access to sensitive data or disrupt the access to accounts and services.
The document also warns that an attack on a credit union could have far-reaching effects.
“Depending on the magnitude of a cyber incident, a credit union’s system data and backups may also be affected, which can severely affect the credit union’s ability to recover its operations,” the board said. administration.
He also urged federally insured credit unions to report any incidents to the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), as this allows the government to learn more about the attackers’ tactics and more.
Over the past few months, dozens of officials from government agencies such as CISA, the FBI, and the Department of Justice have taken multiple opportunities to plead for more robust incident reporting.
A federal law mandating incident reporting for organizations in critical industries was recently passed and the rules are expected to come into effect sometime before 2024. This law provides a 72-hour time limit for reporting incidents.
What is a reportable incident?
The NCUA’s proposed rule outlined what it considered a reportable cyber incident, writing that the attack would have a “serious impact on the security and resilience of operational systems and processes; disruption of business operations, vital member services, or a member information system resulting from a cyberattack or the exploitation of vulnerabilities.
The NCUA said it “expects a [federally insured credit union] exercise reasonable judgment in determining whether they have experienced a significant cyber incident that should be reported to the agency. If a credit union is unsure, the NCUA said it should contact the agency.
The proposed rule includes a note that FICU must also report any incidents affecting third-party providers.
“Credit unions are increasingly using third parties to provide technology services, including information security and mobile and online banking. These third-party systems and servers also store a large amount of FICU member data,” the board said.
“As of March 30, 2022, the top five third-party providers of the credit union core processing system provided services to credit unions holding approximately 87% of the total assets of the credit union system. Similarly, at the end of 2021, the top five CUSOs provided services to credit unions which held approximately 95% of the total assets of the credit union system. »
Recent Attacks on Credit Unions
Cybersecurity firm Black Kite released a report last year examining the cybersecurity posture of 250 NCUA credit unions and 150 vendors commonly used by credit unions. They found that “most” credit unions and vendors faced a range of cybersecurity issues, including leaking employee credentials, lackluster software patching practices and insecure email networks. .
Researchers found at least one new employee credential leaked on the dark web from 86% of credit unions and 76% of suppliers, according to the report, which claimed that direct attacks on credit unions cost about $190,000 a year to small credit unions and more than $1.2. million for large credit unions.
Extortion group RansomHouse added Jefferson Credit Union to its list of victims earlier this year and Envision Credit Union announced a cyberattack last year involving ransomware group LockBit. Ardent Credit Union also faced an incident in 2020.
LARES Consulting COO Andrew Hay told The Record that credit unions often struggle to respond to cybersecurity incidents because they are often ill-prepared or understaffed. Dedicated incident response resources rarely exist in the credit union space unless the institution is exceptionally large.
“Credit unions pride themselves on putting their members above all else. Forcing them to report an incident before they’ve resolved the issue or determined a reasonable mitigation strategy will set many credit unions upside down,” Hay said.
“It would make much more sense to stagger reporting windows based on the number of members in the credit union or the amount of money under management. We can’t expect the smallest FCU to have the same capabilities incident response that a PenFed or a Navy Federal would have.
At a Credit Union National Association event in March, NCUA President Todd Harper explicitly cited fears about cyberattacks as a major issue facing credit unions across the country. “I can’t stress this enough: all credit unions and vendors, regardless of size, are vulnerable to cyberattacks,” Harper said, according to Credit Union Times.
NCUA hosted an information meeting with CISA in April that included a range of cybersecurity offerings available to credit unions.
Harper said the NCUA, state watchdogs, credit unions and vendors have “a responsibility to protect our information systems, improve our collective ability to recover from incidents, educate our employees , share information, report and address potential vulnerabilities”.