Federal credit union regulators are focusing on incident response in 2024 and there are several recent headlines — and new incident reporting requirements — that illustrate why these types of financial institutions need to be prepared.

Community banks face heightened vulnerability when compared with larger financial institutions because of their limited information security resources and greater reliance on third-party service providers, which, in turn, have been prime targets for ransomware attacks, according to the Office of Financial Research’s annual report, which assesses risks associated with the U.S. financial system. Last November, 60 credit unions experienced outages after a ransomware attack on a widely-used cloud services provider.

After implementing a new reporting rule for information breaches last year and citing “an evolving cybersecurity threat landscape posing persistent risks to credit unions,” the National Credit Union Administration included incident response as one of their 2024 supervisory priorities.

In addition to regulators focusing on incident response, including incidents incurred by third parties, the NCUA says examiners will continue to assess whether credit unions have implemented robust information security programs. Here’s more about the NCUA’s reporting requirements and how credit unions can prepare themselves to respond if an incident occurs.

What is the NCUA’s reporting rule?

Last September, the NCUA’s Cyber Incident Notification Reporting Rule took effect, mandating federally insured credit unions notify the NCUA within 72 hours after the credit union reasonably believes that a reportable cyber incident has occurred. According to the NCUA, reportable incidents are one of the following:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services or has a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• Disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The NCUA recommends reviewing existing incident response plans and updating them to align with this new rule, which includes incorporating the reporting requirement timeframes and procedures for notifying the NCUA and ensuring the plan includes guidelines for identifying reportable incidents and escalation procedures for notifying management and the NCUA.

Reviewing third-party contracts

Because of recent breaches and attacks, credit unions’ review of incident response plans should focus on third-party contracts within their service supply chain. Do your agreements include provisions requiring third-party providers to provide timely notification of incidents?

In addition to reviewing third-party agreements to ensure your credit union will receive information in time to make mandated reports about cyber incidents to the NCUA, do your contracts include liability clauses and insurance requirements?

Now is also the time to prioritize a closer review of critical vendors that can have a material impact on customer information if they experience an incident.

Training staff using the incident response policy

Once you’ve updated your incident response policy, run tests, and exercises to confirm your reporting procedures are in place.

The NCUA recommends documenting all cyber incidents, regardless of whether they meet the reporting criteria, including these details:

• Indicators of compromise;
• Network information or traffic regarding the attack;
• The attack vector;
• Information on any exfiltrated data; and
• Any forensic or other reports about the reportable cyber incident.

Update your plans after tests and when events occur to reflect lessons learned.