Manage third-party cyber risk: 4 tips

Third-party cybersecurity threats continue to be a top concern for financial institutions everywhere.

Just last month, NCUA Chair Todd Harper spoke about the $2 trillion in assets that are exposed to risks, in part because the agency doesn’t supervise third-party vendors.

The responsibility of managing third-party risk lies with credit unions, who will soon need to comply with cyber incident reporting requirements. The NCUA final rule, which goes into effect Sept. 1, 2023, states that federally insured credit unions (FICUs) will have 72 hours to report cyber incidents to the agency.

According to the 32-page rule, “This rule does not impact existing contractual relationships. While the proposed rule asked FICUs to share how third parties provide notice to FICUs in the event of a cyber incident, there is no requirement in the proposed or final rules that FICUs amend existing contracts to comply with this rule.”

What’s a reportable cyber incident?

The term “cyber incident” is somewhat vague, so it’s important to understand how NCUA defines this when it needs to be reported.

Most credit unions are probably facing some sort of cyber incident on a regular basis, whether it’s a phishing attempt or even an unsuccessful malware attack that was prevented by security software. The rule states that these types of failed attempts wouldn’t need to be reported.

Credit unions must report a cyber incident when:

• It leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services.
• It has a serious impact on the safety and resiliency of operational systems and processes.
• It leads to a disruption of business operations, vital member services, or a member information system.
• A third party has informed a FICU that the FICU’s sensitive data or business operations have been compromised or disrupted as a result of a cyber incident experienced by the third-party or upon the FICU forming a reasonable belief this has occurred.

The rule stops short of defining “substantial” with specific data points but does provide examples of reportable incidents. The agency also urges FICUs to take the approach of “better safe than sorry” when reporting cyber incidents.

Guarding against risk

While NCUA will provide further guidance before the rule goes into effect, credit unions should consider how to implement this rule within their own third-party risk management programs. A good first step is vetting your third parties’ cybersecurity program to ensure they’re properly identifying, preventing, and responding to incidents.

Four tips to ensure your credit union is protected from third-party cyber incidents:

1. Request testing documentation. Your third party’s testing results will reveal whether any vulnerabilities were found and if they were mitigated or remediated. This may include vulnerability, penetration, and social engineering testing.
2. Verify security policies. If your third party has access to sensitive data, you should verify that they’re keeping it secure through encryption standards, retention and destruction policies, and classification and privacy policies.
3. Review the incident response plan. Make sure you understand how your third party will prepare, identify, contain, eradicate, and recover from different types of cyber incidents. This should also include any timelines for notifying your organization of the incident, which would help you stay compliant with regulatory requirements.
4. Use contractual leverage. As a best practice, third-party contracts should include provisions around the timing of incident notifications and the return or destruction of data once the relationship ends.

Many cybersecurity teams operate under the assumption that their organizations or third parties will eventually be targeted in an incident. For credit unions to maintain operational resilience and protect their members from cybersecurity threats, early detection and notification are essential.

AARON KIRKPATRICK is chief information security officer at Venminder, a CUNA Strategic Services alliance provider.