Federally insured credit unions have been notified by the National Credit Union Administration (NCUA) of a new regulation set to take effect on September 1, 2023.
Under the forthcoming rule, credit unions will be obligated to notify the NCUA about any reportable cyber incident within 72 hours. Such incidents include instances of unauthorized data access, disruptions in vital member services and breaches facilitated by third-party service providers.
The NCUA has outlined clear reporting protocols to facilitate compliance. Credit unions are expected to provide critical details when reporting, including their name, charter number and a concise description of the incident. However, specific sensitive data, such as indicators of compromise (IoC) and specific vulnerabilities, are advised to be excluded from the initial communication.
In preparation for the rule’s enactment, credit unions are advised to revisit their existing incident response plans, scrutinize contracts with third-party service providers and ensure that employees are adequately trained to identify and promptly report cyber incidents.
“Plausible deniability is now dead. This has been a long time coming,” commented Tom Kellermann, SVP of cyber strategy at Contrast Security.
“The first 72 hours is of paramount importance to prevent lateral movement by cyber-criminals and systemic fraud. I applaud the mention of third parties as many banks are hacked due to the compromise of shared service providers via island hopping.”
This regulation marks a significant step toward shoring up the financial sector’s defenses against cyber-threats. As credit unions embrace this new directive, their cybersecurity measures are expected to be fortified, ultimately contributing to a more secure landscape for members and stakeholders.
For additional information and resources on how credit unions can effectively navigate this new rule, interested parties are encouraged to explore the NCUA’s dedicated Cybersecurity Resources webpage.