Cyber incident proposal keeps focus on incidents impacting operations

CUNA supports NCUA efforts to minimize the impact of cyberattacks on members and the credit union system through early alerts and information sharing, it wrote to the agency Monday. CUNA’s comments are in response to NCUA’s proposed rule that would require federally insured credit unions to notify NCUA of “reportable cyber incidents” within 72 hours of establishing “reasonable belief” that one has occurred.

“We are largely supportive of this proposal and appreciate the NCUA’s tailored focus on cyber incidents that interfere with the operations of a credit union and their member service,” the letter reads. “The final rule should provide clear and specific instructions to credit unions stating exactly what information should be reported. Also, the rule should limit duplicative reporting requirements and reduce the reporting burden for credit unions.”

CUNA also notes:

• The definition of “reportable cyber incident” is largely consistent with industry standards and appropriately tailored to provide the NCUA with accurate, critical, and timely information regarding substantial cyber incidents.
• NCUA must ensure the protocol remains focused on when the credit union obtained a reasonable belief of an incident, not when a third party made that determination.
• The cyber incident reporting window should be no less than 72 hours, any changes from NCUA should only extend the time period.
• The NCUA should implement a clear, streamlined, and accessible process for cyber incident reporting involving a single point of contact reachable by telephone or email.
• The NCUA should not incorporate a 24-hour reporting window for ransomware attacks and should instead maintain a single 72-hour time frame for all reportable cyber incidents.

CUNA also requests NCUA provide additional guidance on how agency examiners will assess reported incidents during annual examinations.