Based on the "Cyber Incident Notification Requirements" letter from the National Credit Union Administration (NCUA) to Federally Insured Credit Unions, all federally insured credit unions must notify the NCUA as soon as possible (and no later than 72 hours) after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident. This rule comes into effect on September 1, 2023.
If you attended my Managing your Internal & External Cybersecurity Teams talk at the 2023 CU Leadership Convention, you may remember that I suggested such a rule would likely be coming to the credit union industry sooner rather than later. Well, it looks like I was correct.
If you're unsure where to start, here's how a Lares' Virtual Chief Information Security Officer (vCISO) service can assist your CU in getting ready for the impending rule:
Understanding and Compliance with Notification Requirements: A Lares vCISO can ensure that the credit union understands the requirement to notify the NCUA within 72 hours of reasonably believing it has experienced a reportable cyber incident or received a notification from a third party regarding such an incident.
Incident Classification: The Lares vCISO can help classify which incidents are reportable based on the definitions provided, such as unauthorized access to sensitive data, disruptions due to cyberattacks, or incidents involving third-party service providers.
Incident Response Plan Update: The Lares vCISO can review and update the existing incident response plan to align with the new rule, ensuring that it includes clear guidelines for identifying reportable incidents and escalation procedures.
Contract Review: A Lares vCISO can review contracts with critical service providers to ensure there are provisions requiring timely notification of cyber incidents.
Employee Training: The Lares vCISO can train all employees, emphasizing the importance of reporting cyber incidents and the potential consequences of non-compliance.
Monitoring and Review:
The Lares vCISO can regularly monitor and review the cyber incident reporting process, conduct periodic tests, and use lessons learned from these exercises to improve the security program.
Documentation: A Lares vCISO can ensure that all cyber incidents are documented, regardless of whether they meet the reporting criteria. This includes documenting indicators of compromise, network information, attack vectors, exfiltrated data, and any forensic reports.
Open Communication with NCUA: The Lares vCISO can maintain open communications with the NCUA regarding any questions or concerns about the new rule and stay informed on guidance, best practices, and industry trends in cybersecurity.
In conclusion, a Lares vCISO can play a pivotal role in ensuring that credit unions comply with the NCUA's Cyber Incident Notification Requirements, enhance their overall cybersecurity posture, and improve their incident response capabilities.
Want to know more about how we can help your CU meet the requirements for this rule? Reach out to us today!
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.