Banks must follow specific rules around reporting cyber incidents. These rules are published by the Federal Reserve, Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC). The final rule notification was published on 11/23/2022 and became effective on April 1, 2023.
Per the rule, banks have 36 hours to report cyber-security incidents to federal regulators. Affected customers must also be notified. Whether an incident reaches a reportable level is at the bank's discretion.
Credit unions are following suit with their own set of cyber incident rules. The final rule has been approved and is expected to go into effect in September 2023.
The National Credit Union Administration (NCUA) is the regulatory body overseeing the approval of these rules. While credit unions should report a cyber incident immediately, they will have up to 72 to do so. Similar to the banking rules, it is at the credit union's discretion to determine if the incident is reportable. A guide for determining reportability is if the credit union "reasonably believes" an incident has occurred.
Some incidents will be reportable, while others will be non-reportable. NCUA will issue further guidance and clarity around what reportable means, along with some examples. Rules for both banking and credit unions require reporting if an incident has significantly disrupted operations.
The rule also involves service providers or other third parties. For example, if an incident occurred at a third party, the bank must be informed and then report the incident to NCUA. This chain of reporting has a weak link since there is a dependence on providers and third parties relaying the occurrence of any incident to credit unions. Also, the incident should be reported before a credit union, provider, or third party has completed an investigation into the incident.
This isn't the first time such security guidance has been issued for credit unions. The Interagency Guidelines adopted pursuant to the Gramm-Leach-Bliley Act (GLBA) a requirement that credit unions have "response programs" to unauthorized access, as well as reporting such incidents.
Let Us Know What You Thought about this Post.
Put your Comment Below.