iOn February 16, 2023, the National Credit Union Administration (“NCUA”) unanimously approved a final rule that requires a federally-insured credit union to report “reportable cyber incidents” to the NCUA as soon as possible, and in no event later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident. The final rule becomes effective later this year, on September 1, 2023. Credit Unions should implement measures now to ensure they are prepared for the upcoming expanded obligations.
Existing Incident Reporting Requirements
As Polsinelli’s Alexander Boyd summarized in his piece from August 2022, federally-insured credit unions are currently subject to the reporting standards found in the interpretive guidance to the Gramm-Leach-Bliley Act in the Interagency Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice (the “Interagency Guidance”).1
Under the Interagency Guidance, credit unions are required to notify the appropriate NCUA Regional Director, and, in the case of state-chartered credit unions, their state supervisory authority as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information. Supplemental opinions from the NCUA have clarified that “where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA,” thereby creating a basis to limit its reporting obligations following a data security incident where the incident creates no reasonable risk of harm to a member.2 These existing requirements under the Interagency Guidance will continue to apply even when the new 72-hour reporting rule goes into effect, as the scope of the two requirements are not identical.
Updated Incident Reporting Requirements
Under the new rule, a cyber incident (a term of art under the rule) becomes a “reportable cyber incident” in pertinent parts as follows:
A reportable cyber incident is any substantial cyber incident that leads to one or more of the following:
(A) A substantial loss of confidentiality, integrity, or availability of a network or member information system . . . that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services . . . or has a serious impact on the safety and resiliency of operational systems and processes.
(B) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
(C) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.3
Further, as explained in the bulletin, the NCUA was intentionally broad in its use of the “substantial” qualifier and conveyed that the NCUA should be notified of cyber incidents that “are extensive or significant to the [credit union] or its members (or both), rather than minor or inconsequential.” This will be a fact-specific inquiry based on the circumstances of each incident and how it affects the specifically impacted credit union and its members.
The rule also includes a broad definition of “Sensitive data,” which it defines to mean “any information which, by itself or in combination with other information, could be used to cause harm to a credit union or credit union member and any information concerning a person or their account which is not public information, including any non-public personally identifiable information.”4 This definition is significantly broader than the operative definition of Sensitive Member Information used in the Interagency Guidance.
Finally, the bulletin is clear that it is supplemental to, and not in lieu of, Appendix B. Accordingly, a federally-insured credit union will still be subject to the existing requirements promulgated by NCUA, including the requirements to notify members of unauthorized access to their sensitive member information when misuse is reasonably possible.
Practical Next Steps for Credit Unions
The new rule becomes effective on September 1, 2023; accordingly, credit unions have a limited window during which to prepare. First, every federally-insured credit union (irrespective of charter status) should ensure its incident response plan and written information security policies are consistent with the new rule. At a minimum, this should include key points of contact for the credit union in the event of an incident. The plan should also contain examples of the types of incidents that may trigger a notification obligation.
Credit unions would also benefit from the generation of a data flow diagram and/or sensitive information audit with an eye toward the identification and retention of information that could meet the definitions of “Sensitive Member Information,” “Sensitive Data,” or both. This should include information on and off network, including in the email environment (and ideally, paired with an appropriate retention policy). Finally, organizations should explore proactive security and privacy options to mitigate the risk of falling victim to a security incident in the first place.
FOOTNOTES
1 15 U.S.C. § 6801 et seq.; 70 Fed. Reg. 15736 (Mar. 29, 2005) (promulgating 12 C.F.R. Part 748, App. B). See also https://www.natlawreview.com/article/national-credit-union-administration-issues-new-proposed-rule-requiring-72-hour
2 See The NCUA Report, Second Quarter 2017, pp. 7, 13 (confirming regulator notice is not required if the incident involves little or no likelihood of harm to the members).
3 See 12 CFR § 748, Cyber Incident Notification Requirements for Federally Insured Credit Unions, Docket No. 7535-01-U, available at https://www.ncua.gov/files/agenda-items/cyber-incident-notification-requirements-final-rule-20230216.pdf (last accessed February 20, 2023).
4 12 CFR § 748.1(c)(2), as amended September 1, 2023.
