72-hour deadline for cyber incident reporting proposed for credit unions

The U.S. agency that oversees credit unions proposed a 72-hour deadline for regulated companies to report cyberattacks on Wednesday.

Notification of a cyberattack would only involve the National Credit Union Administration (NCUA) and would not require credit unions to provide a detailed incident assessment to the organization within 72 hours. 

The report would include a basic description of the cyberattack, what functions are affected, the date of the incident, what vulnerabilities may have been exploited or what tools were used as well as any contact info from the hacker.

The proposed rule from NCUA’s board will take comments and feedback until September 26 and will then decide whether to move forward with it. 

“While the Board is proposing a 72-hour time frame, depending on the feedback received during the comment period and the agency's analysis of the need for more prompt reporting, the final rule may provide a shorter time frame, such as 36 hours as the Federal banking agencies require,” the board added, noting that the report “would be subject to the NCUA's confidentiality rules.”

The board said it was pushing the new regulations “due to the increased frequency and severity of cyberattacks on the financial services sector.” 

The board and administration behind the NCUA raised concerns about not only cyberattacks that disrupt operations but also incidents that lead to unauthorized access to sensitive data or disrupt access to accounts and services. 

The document also warns that an attack on one credit union could have wide-ranging effects.

“Depending on the scope of a cyber incident, a credit union's data and system backups may also be affected which can severely affect the ability of the credit union to recover operations,” the board said.

It also urged federally-insured credit unions to report any incidents to the FBI and Cybersecurity and Infrastructure Security Agency (CISA) because doing so allows the government to learn more about attacker tactics and more.

In recent months, dozens of representatives from government agencies like CISA, the FBI and the Justice Department have taken multiple opportunities to beg for more robust incident reporting.

A federal law mandating incident reporting for organizations in critical industries was recently passed and the rules are slated to take effect at some point before 2024. That law includes a 72-hour time frame for reporting incidents.  

What is a reportable incident?

The proposed NCUA rule sketched out what it considers a reportable cyber incident, writing that the attack would have a “serious impact on the safety and resiliency of operational systems and processes; a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.”

The NCUA said it “expects a [federally insured credit union] to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency.” If a credit union is unsure, NCUA said they should contact the agency.

The proposed rule includes a note that FICU should also report any incidents affecting third party suppliers.

“Credit unions are increasingly using third parties to provide technological services, including information security and mobile and online banking. These third-party systems and servers also store a vast amount of FICU member data,” the board said.

“As of March 30, 2022, the top five credit union core processing system third-party vendors provided service to credit unions holding approximately 87 percent of total credit union system assets. Likewise, at the end of 2021, the top five CUSOs provided service to credit unions that hold approximately 95 percent of total credit union system assets.”

Recent attacks on credit unions

Cybersecurity firm Black Kite released a report last year examining the cybersecurity posture of 250 NCUA credit unions and 150 vendors commonly used by credit unions. They found that “most” credit unions and vendors were dealing with a range of cybersecurity issues, including leaked employee credentials, lackluster software patch practices and insecure email networks.

Researchers found at least one new leaked employee credential on the dark web from 86% of credit unions and 76% of vendors, according to the report, which claimed that direct attacks on credit unions cost about $190,000 for small credit unions annually and more than $1.2 million for large credit unions.

The RansomHouse extortion group added Jefferson Credit Union to its list of victims earlier this year and Envision Credit Union announced a cyberattack last year involving the LockBit ransomware group. Ardent Credit Union also faced an incident in 2020.

LARES Consulting COO Andrew Hay told The Record that credit unions often scramble to respond to cybersecurity incidents because they are often unprepared or understaffed. Dedicated incident response resources rarely exist in the Credit Union space unless the institution is exceptionally large.

“Credit Unions pride themselves on putting their members above anything else. Forcing them to report an incident before they have resolved the issue or determined a reasonable mitigation strategy will rub many credit unions the wrong way,” Hay said.

“It would make far more sense to scale the reporting windows based on the Credit Union member count or amount of money under management. We can't expect the smallest FCU to have the same incident response capabilities that a PenFed or Navy Federal would have.”

During a Credit Union National Association event in March, NCUA Chairman Todd Harper explicitly cited fears about cyberattacks as a major issue facing credit unions across the country. “I cannot stress this enough: All credit unions and vendors, regardless of size, are vulnerable to cyberattacks," Harper said, according to Credit Union Times.

The NCUA held a briefing with CISA in April that included a range of cybersecurity offerings available to credit unions.

Harper said the NCUA, state supervisory authorities, credit unions, and vendors have “a responsibility to protect our IT systems, improve our collective ability to recover from incidents, educate our employees, share information, and report and address potential vulnerabilities.”