Print
(From America’s Credit Unions’ Compliance Blog) – As we’ve witnessed in the past, cyberattacks tend to rise when global tensions flare. With the United States now in a conflict with Iran, credit unions should stay alert to the cyber threat environment as bad actors set their sights on the financial services sector. So, we’re going back-to-basics on what the National Credit Union Administration (NCUA) expects credit unions to do when a cyberattack results in compromised sensitive member data.
Unauthorized Access to Sensitive Member Information
Part 748 of NCUA’s regulations requires federally-insured credit unions to develop and implement “risk-based” response programs to address “instances of unauthorized access to member information in member information systems” (commonly referred to as a “security breach” or “data breach”).
“Member information systems” consist of “all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information,” including systems maintained by the credit union’s service providers (Part 748, Appendix A, Paragraph I.C.2.d.). This term includes both hardware and software programs.
Appendix B to Part 748 provides credit unions with direction on how to meet this regulatory requirement, as required by the Gramm-Leach-Bliley Act (GLBA).
When a credit union becomes aware of an incident of unauthorized access to “sensitive member information” in member information systems, the institution is required to conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. Sensitive member information includes data such as:
- A member’s name, address, or telephone number used in conjunction with the member’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account.
- Any combination of components of member information that would allow someone to log onto or access the member’s account, such as username and password or password and account number.
The credit union’s response program must also include procedures to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member (e.g., stolen funds, identity theft).
Components of a Response Program
At a minimum, a credit union’s response program should contain procedures for:
- Assessing the nature and scope of an incident and identifying what member information systems and types of member information have been accessed or misused.
- Notifying the appropriate NCUA Regional Director or state supervisory authority (for federally insured state-chartered credit unions), as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information. See “The 72-Hour Rule” below.
- Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (SAR), in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is on-going.
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.
- Notifying members as soon as reasonably possible when the credit union determines that misuse of sensitive member information has occurred or is reasonably possible.
- The member notice will explain the type of information that was compromised, the steps the credit union has taken to prevent further unauthorized access, provide a member-assistance phone number, and recommend next steps (i.e., stay vigilant, review account statements, obtain a free credit report/fraud alert, and report identity theft, along with Federal Trade Commission Resources, etc.) See Appendix B, Section III, B. for the complete list of the contents.
If a service provider experiences unauthorized access to member information stored in its systems, the credit union is still responsible for notifying its members and regulator. However, the credit union may authorize or contract with its service provider to send those notifications on its behalf.
The 72-Hour Rule
As of September 1, 2023, all federally insured credit unions are required to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a “reportable cyber incident” or received a notification from a third-party regarding a reportable cyber incident.
A reportable cyber incident is any “substantial” cyber incident that leads to one or more of the following:
- A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
- A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.
Some examples of reportable cyber incidents include:
- Ransomware attacks impacting critical systems or data.
- Unauthorized access to an information system containing a substantial amount of sensitive member information.
- Data breach exposing a substantial amount of employee personal identifiable information.
- Distributed denial of service attack causing significant downtime.
- Phishing attack resulting in successful installation of malware.
For more examples, see NCUA Letter 23-CU-07: Cyber Incident Notification Requirements.
What about state law?
Note that this blog post only covered NCUA’s requirements. Many states have enacted their own consumer privacy and data security laws that may provide additional protections. Some of these laws specifically exempt federally chartered banks and credit unions that must already comply GLBA; however, some do not.
Further, while GLBA preempts inconsistent state provision(s) that conflict with federal standards, state laws that provide stronger consumer protections (e.g., broader notice requirements) may still be applicable to federally chartered institutions.