We recently discussed the new SEC rule requiring all registered companies to report material cyber incidents within four (4) days.
Now the National Credit Union Administration (NCUA)1 has updated their Cyber Incident Notification Rule, requiring all federally insured Credit Unions to notify the NCUA of any cyber incident no more than 72 hours after detection.2
In this post, we’ll provide a quick summary of the new requirements and how it impacts not only US Credit Unions, but also third parties supporting the move towards open banking.
There are over 4,700 federally insured Credit Unions in the US, with almost 137 million members (over 40% of the entire US population) and over $2.2 trillion in total assets.
Also impacted are third-party service providers which handle sensitive data or business operations for these Credit Unions. There is a specific carve out for contracted pentesting.
The new rule is focused on actual or “imminent” harm to the confidentiality, integrity or availability (aka the CIA triad) of Credit Union information or information systems.
The Cyber Incident Notification Requirements rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.
NCUA Letter regarding Cyber Incident Notification Requirements
The rule defines reportable cyber incidents are any one or more of the following outcomes:
The new NCUA Cyber Incident Notification requirements come into effect beginning on September 1, 2023.
In a couple of ways.
First, it’s no secret that attacks against APIs are not only increasing but getting increasingly more sophisticated. We see it in our sensor data – in fact, in our Q2-2023 API ThreatStatsTM report we saw 32.1M unique API attacks (40% of all attacks) against our customer base worldwide, including an astonishing 514% YoY increase in API attacks against US-based customers.
And this is borne out by the continuing attacks by the Cl0p ransomware group which exploit several API vulnerabilities in MOVEit, a Managed File Transfer (MFT) solution used by many organizations. It was recently reported that 15 banks and credit unions have confirmed MOVEit-related data breaches, including at least one case which arose because of a third party.
Second, the Open Banking movement, which is heavily dependent on information and data sharing via APIs, is accelerating worldwide and in the US. In fact, the Consumer Financial Protection Bureau (CFPB) recently announced that new rules will be proposed later this year with the expectation they will be finalized in 2024. This will only further the impact of the new NCUA reporting requirements.
The NCUA has provided some guidance to Credit Unions when implementing this rule, including:
Of course, if you find you need real-time integrated web app and API protection to extend security across your entire portfolio, we invite you to schedule a call with one of our security experts to learn how Wallarm can help you.