Notice of Proposed Rulemaking and Request for Comment
NCUA: Cyber Incident Notification Requirements for Federally Insured Credit Unions.
NASCUS Legislative and Regulatory Affairs Department
August 3, 2022
NCUA has issued a notice of proposed rulemaking and request for comment regarding Cyber Incident Notification requirements. NCUA’s proposal would require a federally insured credit union (FICU) to notify NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a “reportable cyber incident.” This notification requirement, on its face, does not require credit unions to provide a detailed incident assessment to the NCUA within the 72-hour time frame. The proposed rule and request for comment can be found here.
Comments are due to NCUA September 26, 2022.
The proposal defines both “cyber incident” and “reportable cyber incident”. In order to determine if the incident is a “reportable cyber incident”, a credit union would first determine whether the incident fits the definition of “cyber incident.” If so, then the credit union would further evaluate if the incident falls within the “reportable” cyber incident category.
The proposal defines a “cyber incident” to mean “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”
A “reportable cyber incident” is defined as “any substantial cyber incident that leads to one or more of the following:
- A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
- A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”
A FICU would not be required to report an incident performed in good faith by an entity in response to a request by the owner or operator of the information system, such as contracting with a 3rd party to perform a penetration test.
NCUA’s notice provides some examples of incidents that would be considered reportable cyber incidents under the proposed rule:
- A computer hacking incident that disables a FICU’s operations.
- A ransom malware attack that encrypts a core banking system or backup data.
- Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information (PII).
- A detected, unauthorized intrusion into a network information system.
- Discovery or identification of zero-day malware15 in a network or information system.
- Internal breach or data theft by an insider.
- A systems compromise resulting from card skimming.
- Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.
Information Required for Reporting
NCUA proposes to ask for the following information when a FICU reports pursuant to the proposal:
- A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been, affected.
- The estimated date range during which the reportable cyber incident took place.
- Where applicable, a description of the exploited vulnerabilities and the techniques used to perpetrate the reportable cyber incident.
- Any identifying or contact information of the actor(s) reasonably believed to be responsible.
- The impact to the FICU’s operations.
Because NCUA anticipates that further follow-up communications between the FICU and the agency will occur through the supervisory process after a FICU reports, the proposed rule does not include any prescribed reporting forms or templates. NCUA believes the lack of prescribed reporting templates should minimize reporting burden.
NCUA offers additional definitions to effectuate the proposed breach notification rule.
- Compromise means the unauthorized disclosure, modification, substitution, or use of sensitive data or the unauthorized modification of a security-related system, device, or process in order to gain unauthorized access.
- Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
- Cyber incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.
- Disruption means an unplanned event that causes an information system to be inoperable for a length of time.
- Integrity means guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
- Sensitive data means any information which by itself, or in combination with other information, could be used to cause harm to a credit union or credit union member and any information concerning a person or their account which is not public information, including any non-public personally identifiable information.
Specific Request for Comments
While welcoming all comments, on the proposed breach notification rule, NCUA seeks specific feedback on 9 questions:
- The concepts used in the definition of reportable cyber incident are as defined currently in the NCUA regulations or as defined by the National Institute of Standards and Technology. Are these appropriate concepts and definitions to use? If not, please explain your reasoning and how the proposed definition of reportable cyber incident should be modified.
- The proposed definition of reportable cyber incident would require a FICU to notify the NCUA in the event of a substantial cyber incident or cyberattack. What, if any, challenges would a FICU experience in concluding that it has experienced a cyberattack after determining it has experienced a reportable cyber incident?Would including a definition of substantial help a FICU in determining if it experienced a reportable cyber incident? If so, how would you define substantial?
- The proposed definition of reportable cyber incident would require FICUs to notify the NCUA in the event of a third-party compromise that impacts the FICU’s data or operations. In your experience, how do third parties with which FICUs contract currently provide notice when such incidents occur?
- The federal banking agencies recently promulgated a rule that requires banking organizations to report certain computer-security incidents to their regulators within 36 hours. Should the NCUA adopt a 72-hour reporting window, as proposed, or 36 hours as the federal banking agencies adopted, or is a different time frame warranted? If a different time frame, please explain what that would be and why?
- How should FICUs notify the NCUA when faced with a reportable cyber incident? Are email and telephone the best methods as suggested in the proposal? Should the NCUA adopt a single method of cyber incident reporting? Should the NCUA adopt a single point of contact in its Central Office or should FICUs report to their respective NCUA regional offices?
- The Cyber Incident Reporting Act requires CISA to establish separate reporting requirements for ransomware attacks. The Act defines a ransomware attack as an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism, such as a denial-of-service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system, to extort a demand for a ransom payment. The reporting window for these types of incidents is 24 hours. Should the NCUA incorporate a similar reporting requirement of 24 hours specifically for ransomware attacks?
- In addition to those referenced in the proposed rule, are there any other existing regulatory provisions that should be amended or clarified as a result of the proposed cyber-incident reporting requirement? For example, should § 748.1(b) on catastrophic act reporting be amended to include a requirement to report unplanned systemic outages of technological assets and critical networks, computer assets, systems, data, devices, or applications used to deliver vital electronic services to credit union members, not related to cyber incidents, that last more than two consecutive business days? For example, should the definition of vital member services be updated to reflect changes in how vital services are delivered to members to include reliance on the use of electronic banking systems and/or mobile banking applications to access and conduct transactions on their share, deposit, or loan accounts?
- Is further clarification needed about any potential overlap between this proposed rule’s reporting requirement in the event of unauthorized access to or exposure of sensitive data and the reporting of unauthorized access to member information conducted under the Unauthorized Access Guidance? If so, please provide specific concerns or issues that need to be addressed.
- The NCUA invites comments on specific examples of incidents that should or should not constitute reportable cyber incidents. In addition to the examples listed in the proposal are there others the agency should consider?