Third-party cybersecurity threats continue to be a top concern for financial institutions everywhere.
Just last month, NCUA Chair Todd Harper spoke about the $2 trillion in assets that are exposed to risks, in part because the agency doesn’t supervise third-party vendors.
The responsibility of managing third-party risk lies with credit unions, who will soon need to comply with cyber incident reporting requirements. The NCUA final rule, which goes into effect Sept. 1, 2023, states that federally insured credit unions (FICUs) will have 72 hours to report cyber incidents to the agency.
According to the 32-page rule, “This rule does not impact existing contractual relationships. While the proposed rule asked FICUs to share how third parties provide notice to FICUs in the event of a cyber incident, there is no requirement in the proposed or final rules that FICUs amend existing contracts to comply with this rule.”
The term “cyber incident” is somewhat vague, so it’s important to understand how NCUA defines this when it needs to be reported.
Most credit unions are probably facing some sort of cyber incident on a regular basis, whether it’s a phishing attempt or even an unsuccessful malware attack that was prevented by security software. The rule states that these types of failed attempts wouldn’t need to be reported.
Credit unions must report a cyber incident when:
The rule stops short of defining “substantial” with specific data points but does provide examples of reportable incidents. The agency also urges FICUs to take the approach of “better safe than sorry” when reporting cyber incidents.
While NCUA will provide further guidance before the rule goes into effect, credit unions should consider how to implement this rule within their own third-party risk management programs. A good first step is vetting your third parties’ cybersecurity program to ensure they’re properly identifying, preventing, and responding to incidents.
Four tips to ensure your credit union is protected from third-party cyber incidents:
Many cybersecurity teams operate under the assumption that their organizations or third parties will eventually be targeted in an incident. For credit unions to maintain operational resilience and protect their members from cybersecurity threats, early detection and notification are essential.
AARON KIRKPATRICK is chief information security officer at Venminder, a CUNA Strategic Services alliance provider.