All federally insured credit unions must report cyber incidents within 72 hours of discovery, according to the National Credit Union Administration's (NCUA) updated cyberattack reporting policy. The countdown begins after forming "a reasonable belief a reportable cyber incident has taken place," after being informed by a third party of a data compromise, or some kind of disruptions caused by an attack.
The policy covers all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems. Reportable incidents include those leading to network or system compromise following unauthorized access to or exposure of sensitive information or to the disruption of services or operational systems, the NCUA said.
Examples of incidents that should be reported include:
- Distributed denial-of-service attacks, which may disrupt business operations, service, or systems.
- Unexpected malfunctions resulting in customers' inability to access their accounts for a block of time.
- Unauthorized tampering of systems and accidental exposures of sensitive data.
- Data breaches and disruptions that occur as a result of a cyberattack on third-party service providers.
"The overall definition of a reportable cyber incident is intended to capture the reporting of substantial cyber incidents. A credit union's determination of 'substantial' depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration," the NCUA said.
Failed attacks, such as phishing attempts that were successfully blocked, should not be reported.
The revised rule goes into effect Sept. 1. Credit unions should continue to follow the previous reporting framework for incidents that involve unauthorized access to user data but don't fall under the new rules, the agency said.