We recently discussed the new SEC rule requiring all registered companies to report material cyber incidents within four (4) days.

Now the National Credit Union Administration (NCUA)¹ has updated their Cyber Incident Notification Rule, requiring all federally insured Credit Unions to notify the NCUA of any cyber incident no more than 72 hours after detection.²

In this post, we’ll provide a quick summary of the new requirements and how it impacts not only US Credit Unions, but also third parties supporting the move towards open banking.

Who Is Impacted?

There are over 4,700 federally insured Credit Unions in the US, with almost 137 million members (over 40% of the entire US population) and over $2.2 trillion in total assets.

Also impacted are third-party service providers which handle sensitive data or business operations for these Credit Unions. There is a specific carve out for contracted pentesting.

What’s a Cyber Incident?

The new rule is focused on actual or “imminent” harm to the confidentiality, integrity or availability (aka the CIA triad) of Credit Union information or information systems.

The Cyber Incident Notification Requirements rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.

NCUA Letter regarding Cyber Incident Notification Requirements

The rule defines reportable cyber incidents are any one or more of the following outcomes:

1. “A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”
2. “A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.”
3. “A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”

When Does This Take Effect?

The new NCUA Cyber Incident Notification requirements come into effect beginning on September 1, 2023.

How Are APIs Involved?

In a couple of ways.

First, it’s no secret that attacks against APIs are not only increasing but getting increasingly more sophisticated. We see it in our sensor data – in fact, in our Q2-2023 API ThreatStats^TM report we saw 32.1M unique API attacks (40% of all attacks) against our customer base worldwide, including an astonishing 514% YoY increase in API attacks against US-based customers.

And this is borne out by the continuing attacks by the Cl0p ransomware group which exploit several API vulnerabilities in MOVEit, a Managed File Transfer (MFT) solution used by many organizations. It was recently reported that 15 banks and credit unions have confirmed MOVEit-related data breaches, including at least one case which arose because of a third party.

Second, the Open Banking movement, which is heavily dependent on information and data sharing via APIs, is accelerating worldwide and in the US. In fact, the Consumer Financial Protection Bureau (CFPB) recently announced that new rules will be proposed later this year with the expectation they will be finalized in 2024. This will only further the impact of the new NCUA reporting requirements.

Any Implementation Guidance?

The NCUA has provided some guidance to Credit Unions when implementing this rule, including:

• Update Response Plan, to provide clear guidelines on what constitutes reportable incidents and associated escalation & reporting procedures.
• Review Contracts, to confirm critical service providers are required to provide timely incident notification.
• Train Employees, to ensure they understand the importance of reporting cyber incidents and are properly supported to avoid the consequences of noncompliance.
• Monitor and Review, to validate the reporting process is effective; they also recommend periodic tests and exercises to evaluate its effectiveness.
• Document All Incidents, without regard to reportability, to serve as an audit trail to support reporting decisions and as a resource for future incident response.

Of course, if you find you need real-time integrated web app and API protection to extend security across your entire portfolio, we invite you to schedule a call with one of our security experts to learn how Wallarm can help you.

NCUA Resources

• Letter to Credit Unions: Cyber Incident Notification Requirements (23-CU-07 / August 2023)
• Quick Reference Guide: Cyber Incident Reporting (updated July 2023)
• Cybersecurity Resources, including assessment programs & tools, regulations & guidance, and more

1. The NCUA was created in 1970 as an independent federal agency with the mission to insure deposits at federally insured credit unions, protect the members who own credit unions, and charter & regulate federal credit unions. ↩︎
2. Note that, being member-owned, Credit Unions are not subject to the new SEC incident reporting rules. ↩︎