The National Credit Union Administration board on Thursday unanimously approved a final rule that will require credit unions to report cybersecurity attacks within 72 hours.
The rule would require federally insured credit unions to notify the NCUA of any cyber incident that rises to the level of “reportable” as soon as possible, but no later than 72 hours after the institution reasonably believes that a reportable cyber incident has occurred.
The regulator defines a reportable cyber incident, in part, as an occurrence that leads to a “substantial loss of confidentiality, integrity or availability of an information system due to unauthorized access.”
Exposure of sensitive member data or an incident that disrupts member services or that has a serious impact on the safety and resiliency of operational systems and processes would also require NCUA notification, the regulator said.
In order to give the agency and credit unions sufficient time for implementation, the effective date of the rule is no earlier than Sept. 1.
Banks are required to notify their primary federal regulator of any significant computer-security incident no later than 36 hours after determining that one occurred.
At the board’s monthly meeting Thursday, NCUA Chairman Todd Harper said the rule is largely unchanged from the proposal the agency discussed in July.
Harper said he has long believed that the NCUA should work to improve the efficiency of agencies by streamlining rules and regulations whenever possible.
The rule would also align with the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March.
“Each of us in the financial system has an obligation to protect our nation’s economic and financial infrastructure,” Harper said. “And credit unions must be included in conversations about this critical infrastructure.”
Board vice chairman Kyle Hauptman said the sooner the NCUA is aware of an incident the sooner it can determine whether it’s isolated or widespread.
“And if we do this correctly it means fewer cyber incidents,” Hauptman said. “A five minute patch that you put on your systems can save days of effort and mayhem.”
The Credit Union National Association said in a statement that the NCUA must ensure the protocol remains focused on when the credit union obtained a reasonable belief of an incident, not when a third party made that determination.
Harper said cyber risk in the credit union system often “lurks in the ether” beyond the NCUA’s purview and within the credit union service organizations and other third party service providers.
“As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks,” he said.
The NCUA in November proposed a rule that would give the agency authority over third-party vendors, including CUSOs.
Board member Rodney Hood said after many years with cybersecurity being top of mind for financial institutions, a sustainable solution should be at hand.
“But unfortunately, that’s simply not the case given the velocity and evolution of cybersecurity threats,” Hood said. “As such, we have to accept that cybersecurity threats are an ongoing risk, both to financial institutions’ operations and their reputations as well.”
The NCUA said the rule allows for reportable cyber incidents to be reported via email, telephone or other similar methods. The board said it also understands that the time period right after a cyber incident can be hectic, and credit unions will rightly be focused on recovery.
Therefore, the NCUA said it will limit follow-ups during such incidents to minimize burden on federally insured credit unions.