Cyber Incident Notification Requirements for Federally Insured Credit Unions, 12811-12817 [2023-03682]

Agencies

• National Credit Union Administration

[Federal Register Volume 88, Number 40 (Wednesday, March 1, 2023)]
[Rules and Regulations]
[Pages 12811-12817]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-03682]



[[Page 12811]]

=======================================================================
-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

RIN 3133-AF47


Cyber Incident Notification Requirements for Federally Insured 
Credit Unions

AGENCY: National Credit Union Administration.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The National Credit Union Administration (NCUA or agency) is 
amending Part 748 of its regulations to require a federally insured 
credit union (FICU) that experiences a reportable cyber incident to 
report the incident to the NCUA as soon as possible and no later than 
72 hours after the FICU reasonably believes that it has experienced a 
reportable cyber incident. This notification requirement provides an 
early alert to the NCUA and does not require a FICU to provide a 
detailed incident assessment to the NCUA within the 72-hour time frame.

DATES: The effective date of this final rule is September 1, 2023.

FOR FURTHER INFORMATION CONTACT: Policy: Christina Saari, Information 
Systems Officer, Office of Examination and Insurance, at (703) 283-
0121; Legal: Gira Bose, Senior Staff Attorney, Office of General 
Counsel, at (703) 518-6540.

SUPPLEMENTARY INFORMATION: 

I. Introduction
II. Overview of the Final Rule
III. Legal Authority
IV. Discussion of Public Comments Received on the Proposed Rule
V. Regulatory Procedures

I. Introduction

A. Background

    The NCUA's requirement that FICUs develop written security programs 
and report certain activity to the NCUA is codified in 12 CFR part 748. 
In July 2022, the NCUA Board (Board) approved a notice of proposed 
rulemaking (proposal or proposed rule) that would require a FICU to 
notify the NCUA of any cyber incident that rises to the level of a 
reportable cyber incident.\1\ The proposed rule would require such 
notification as soon as possible but no later than 72 hours after a 
FICU reasonably believes that a reportable cyber incident has occurred.
---------------------------------------------------------------------------

    \1\ 87 FR 45029 (July 27, 2022).
---------------------------------------------------------------------------

    As stated in the proposed rule, given the growing frequency and 
severity of cyber incidents within the financial services industry, it 
is important that the NCUA receive timely notice of cyber incidents 
that disrupt a FICU's operations, lead to unauthorized access to 
sensitive data, or disrupt members' access to accounts or services.

B. Summary of Proposed Rule

    The proposed rule added a provision to 12 CFR 748.1 for the NCUA to 
require notification of any cyber incident that rises to the level of a 
reportable cyber incident as soon as possible but no later than 72 
hours after a FICU reasonably believes that a reportable cyber incident 
has occurred. As first stated in the proposed rule and finalized here, 
in accordance with Sec.  704.1(a) of the NCUA's regulations, this rule 
also applies to federally chartered corporate credit unions and 
federally insured, state-chartered corporate credit unions.
    The proposed rule defined a cyber incident as an occurrence that 
actually or imminently jeopardizes, without lawful authority, the 
integrity, confidentiality, or availability of information on an 
information system or actually or imminently jeopardizes, without 
lawful authority, an information system.\2\
---------------------------------------------------------------------------

    \2\ 6 U.S.C. 659(a)(5).
---------------------------------------------------------------------------

    The proposed rule defined a reportable cyber incident as any 
substantial cyber incident that leads to one or more of the following: 
a substantial loss of confidentiality,\3\ integrity,\4\ or availability 
of a network or member information system \5\ that results from the 
unauthorized access to or exposure of sensitive data,\6\ disrupts \7\ 
vital member services,\8\ or has a serious impact on the safety and 
resiliency of operational systems and processes; a disruption of 
business operations, vital member services, or a member information 
system resulting from a cyberattack \9\ or exploitation of 
vulnerabilities; and/or a disruption of business operations or 
unauthorized access to sensitive data facilitated through, or caused 
by, a compromise \10\ of a credit union service organization, cloud 
service provider, managed service provider, or other third-party data 
hosting provider or by a supply chain compromise.
---------------------------------------------------------------------------

    \3\ Confidentiality means preserving authorized restrictions on 
information access and disclosure, including means for protecting 
personal privacy and proprietary information. See https://csrc.nist.gov/glossary/term/confidentiality. The agency is using 
definitions from the National Institute of Standards and Technology 
(NIST), as appropriate. NIST is a familiar and trusted source in the 
cybersecurity arena and is routinely cited by the Federal Financial 
Institutions Examination Council and individual federal agencies.
    \4\ Integrity means guarding against improper information 
modification or destruction and includes ensuring information non-
repudiation and authenticity. See https://csrc.nist.gov/glossary/term/integrity.
    \5\ Member information system means any method used to access, 
collect, store, use, transmit, protect, or dispose of member 
information. 12 CFR part 748, appendix A, section I.B.2.e.
    \6\ Sensitive data is defined as any information which by 
itself, or in combination with other information, could be used to 
cause harm to a credit union or credit union member and any 
information concerning a person or the person's account which is not 
public information, including any non-public personally identifiable 
information.
    \7\ A disruption is an unplanned event that causes an 
information system to be inoperable for a length of time. https://csrc.nist.gov/glossary/term/disruption.
    \8\ Vital member services means informational account inquiries, 
share withdrawals and deposits, and loan payments and disbursements. 
12 CFR 749.1.
    \9\ Cyberattack is an attack, via cyberspace, targeting an 
enterprise's use of cyberspace for the purpose of disrupting, 
disabling, destroying, or maliciously controlling a computing 
environment/infrastructure; or destroying the integrity of the data 
or stealing controlled information. See https://csrc.nist.gov/
glossary/term/
Cyber_Attack#:~:text=An%20attack%2C%20via%20cyberspace%2C%20targeting
%20an%20enterprise%E2%80%99s%20use,SP%201800-
10B%20from%20NIST%20SP%20800-30%20Rev.%201.
    \10\ A compromise is the unauthorized disclosure, modification, 
substitution, or use of sensitive data or the unauthorized 
modification of a security-related system, device, or process in 
order to gain unauthorized access. See https://csrc.nist.gov/
glossary/term/
compromise#:~:text=Definition(s)%3A,an%20object%20may%20have%20occurr
ed.
---------------------------------------------------------------------------

    The proposed rule definition excluded any event where the cyber 
incident was performed in good faith by an entity in response to a 
specific request by the owner or operator of the information system.
    The Board is adopting this final rule largely as proposed to give 
the NCUA early notice of substantial cyber incidents that have 
consequences for FICUs as stated in the rule.
    Shortly before the Board issued its proposed rule, Congress enacted 
the Cyber Incident Reporting for Critical Infrastructure Act of 2022 
(Cyber Incident Reporting Act) requiring covered entities to report 
covered cyber incidents to the Cybersecurity and Infrastructure 
Security Agency (CISA) not later than 72 hours after the entity 
reasonably believes that a covered cyber incident has occurred.\11\ 
CISA has until 2025 to publish a final rule implementing the Cyber 
Incident Reporting Act's requirements, including defining the terms 
used therein. Nevertheless, as stated in the proposed rule, the Board 
believes that it would be imprudent in light of the increasing 
frequency and severity of cyber

[[Page 12812]]

incidents to postpone a notification requirement until after CISA 
promulgates a final rule. To the extent possible, and as appropriate 
for the credit union system, this final rule uses terminology and a 
reporting framework that Congress outlined in the Cyber Incident 
Reporting Act. The Board believes it is in the best interest of the 
credit union system to align the NCUA's rule with the Cyber Incident 
Reporting Act to provide uniform and timely cyber incident reporting. 
It is the intention of the Board for the NCUA to coordinate with CISA 
on any future credit union cyber incident reporting to avoid duplicate 
reporting to both the NCUA and CISA.
---------------------------------------------------------------------------

    \11\ The Cyber Incident Reporting for Critical Infrastructure 
Act of 2022, part of the Consolidated Appropriations Act of 2022, 
Division Y, Public Law 117-103 (Mar. 15, 2022), is available at 
https://www.congress.gov/bill/117th-congress/house-bill/2471/text.
---------------------------------------------------------------------------

II. Overview of the Final Rule

    After carefully considering the comments received, the NCUA is 
issuing this final rule largely as proposed, as discussed in this 
section of the preamble.

Definitions

    The proposed rule defined a reportable cyber incident as, among 
other things, any substantial cyber incident that leads to a 
substantial loss of confidentiality, integrity, or availability of a 
network or member information system that results from the unauthorized 
access to or exposure of sensitive data, disrupts vital member 
services, or has a serious impact on the safety and resiliency of 
operational systems and processes. Some commenters felt that the 
duplicate use of the term substantial was redundant. That was the not 
the intent of the definition. While the word used is the same, 
substantial applies in two different contexts and thus is retained in 
both places to ensure that the agency receives notification of cyber 
incidents that are substantial. This terminology also aligns with the 
language used in the Cyber Incident Reporting Act. In the event such a 
cyber incident is one that leads to a substantial loss of 
confidentiality, integrity, or availability of a network or member 
information system, as opposed to a minimal loss, then such incident 
would be reportable to the agency.
    The first prong of the reportable cyber incident definition will 
require a FICU to notify the NCUA of a cyber incident that leads to a 
substantial loss of confidentiality, integrity, or availability of a 
member information system as a result of the exposure of sensitive 
data, disruption of vital member services, or that has a serious impact 
on the safety and resiliency of operational systems and processes. For 
example, if a FICU becomes aware that a substantial level of sensitive 
data is unlawfully accessed, modified, or destroyed, or if the 
integrity of a network or member information system is compromised, the 
cyber incident is reportable. If the credit union becomes aware that a 
member information system has been unlawfully modified and/or sensitive 
data has been left exposed to an unauthorized person, process, or 
device, that cyber incident is also reportable, irrespective of intent.
    There are many technological reasons why services may not be 
available at any given time as, for example, computer servers are 
offline, or systems are being updated. Such events are routine and thus 
would not be reportable to the NCUA. However, a failed system upgrade 
or change that results in unplanned widespread user outages for FICU 
members and employees would be reportable.
    The second prong of the reportable cyber incident definition will 
require reporting to the NCUA in the event of a cyberattack that leads 
to a disruption of business operations, vital member services, or a 
member information system. Cyberattacks that cause disruption to a 
FICU's business operations, vital member services, or a member 
information system must be reported to the NCUA within 72 hours of a 
FICU's reasonable belief that it has experienced a cyberattack. For 
example, a distributed denial of service (DDoS) attack that disrupts 
member account access will be reportable under this prong.
    Blocked phishing attempts, failed attempts to gain access to 
systems, or unsuccessful malware attacks do not have to be reported.
    The third prong of the reportable cyber incident definition will 
require a FICU to notify the agency within 72 hours after a third-party 
has informed a FICU that the FICU's sensitive data or business 
operations have been compromised or disrupted as a result of a cyber 
incident experienced by the third-party or upon the FICU forming a 
reasonable belief this has occurred, whichever occurs sooner. A cyber 
incident, under the third prong would also only be reportable in the 
event that the third-party has a relationship with the FICU. The rule 
does not impose a notification requirement on a FICU for an incident 
occurring at any third-party that, unbeknownst and unrelated to the 
FICU, holds information about individuals who happen to be FICU members 
or employees.
    A FICU will not be required to report an incident performed in good 
faith by an entity in response to a request by the owner or operator of 
the information system. An example of an incident excluded from 
reporting would be the contracting of a third-party to conduct a 
penetration test.\12\
---------------------------------------------------------------------------

    \12\ A penetration test is a test methodology in which 
assessors, typically working under specific constraints, attempt to 
circumvent or defeat the security features of a system. See 
Assessing Security and Privacy Controls in Information Systems and 
Organizations, NIST Special Publication 800-53A Revision 5 at 697. 
Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar5.pdf.
---------------------------------------------------------------------------

III. Legal Authority

    The Board issues this final rule pursuant to its authority under 
the Federal Credit Union Act (FCUA). Section 209 of the FCUA is a 
plenary grant of regulatory authority to the Board to issue rules and 
regulations necessary or appropriate to carry out its role as share 
insurer for all FICUs.\13\ Section 206 of the FCUA requires the agency 
to impose corrective measures whenever, in the opinion of the Board, 
any FICU is engaged in or has engaged in unsafe or unsound practices in 
conducting its business.\14\ Accordingly, the FCUA grants the Board 
broad rulemaking authority to ensure that the credit union industry and 
the National Credit Union Share Insurance Fund (Share Insurance Fund) 
remain safe and sound.
---------------------------------------------------------------------------

    \13\ 12 U.S.C. 1789(a)(11).
    \14\ 12 U.S.C. 1786(b)(1). There are a number of references to 
``safety and soundness'' in the FCUA. See 12 U.S.C. 
1757(5)(A)(vi)(I), 1759(d & f), 1781(c)(2), 1782(a)(6)(B), 1786(b), 
1786(e), 1786(f), 1786(g), 1786(k)(2), 1786(r), 1786(s), and 
1790d(h).
---------------------------------------------------------------------------

IV. Discussion of Public Comments Received on the Proposed Rule

    The proposed rule provided for a 60-day public comment period, 
which closed on September 26, 2022. The NCUA received 17 comments in 
response to the proposed rule. These comments came from credit unions, 
credit union trade associations and leagues, service providers, and 
individual members of the public.
    Twelve commenters expressed support for the proposal. One commenter 
felt it was premature for the Board to issue a rule at this time 
because promulgating a rule now could lead to conflicts with standards 
yet to be determined by CISA, which Congress has tasked with issuing 
cybersecurity notification rules across many sectors, including 
financial services.
    Four credit union commenters disagreed with the premise that 
knowing about and responding to cyber incidents is important to the 
NCUA's mission. These commenters stated that the preamble articulated 
no benefits to members and that members are already protected by a 
FICU's data security program, which the NCUA has the

[[Page 12813]]

opportunity to evaluate during the examination cycle. These four 
commenters stated that the NCUA should show deference to a FICU's 
decision regarding whether or not to report an incident because the 
FICU will be in the best position to know whether it has met the 
elements of a reportable cyber incident.
    The Board has considered these comments and has determined to 
proceed to a final rule at this time. As discussed in the preamble to 
the proposed rule, the financial services sector is one of the main 
critical infrastructure sectors targeted by cyberattacks. The agency 
has a statutory obligation to ensure the safety and soundness of the 
credit union system and the Share Insurance Fund. Thus, the NCUA must 
be made aware of cyber incidents that could significantly impact FICUs 
and their members. Commenters are correct in that this rule does not 
change the NCUA's ability to review data security programs during the 
examination cycle. This rule merely requires early notification to the 
agency of substantial cyber incidents. Early awareness can help the 
NCUA react to emerging threats to FICUs and the broader financial 
system before they become systemic. As stated in the proposed rule, 
this notification requirement is intended to serve as an early alert to 
the agency and is not intended to include a lengthy assessment of the 
incident. The NCUA will be providing additional reporting guidance 
prior to the final rule going into effect. However, anytime a FICU is 
unsure as to whether a cyber incident is reportable, the Board 
encourages the FICU to contact the agency.
    Commenters focused on the following specific issues:

Reporting Timeframe

    The proposed rule put forward a 72-hour reporting window for FICUs 
to notify the NCUA of a cyber incident that rises to the level of a 
reportable cyber incident. The proposal asked commenters to discuss 
whether 72 hours is appropriate or if another time frame is warranted, 
such as 36 hours as the Federal banking agencies require. Fourteen 
commenters expressed support for the 72-hour reporting window. Three of 
these commenters asked the agency to be aware that, while 72 hours is 
generally reasonable, even this may be burdensome for smaller 
institutions. One commenter stated that the proposed timeframe will 
correspond with additional administrative burden for credit unions. One 
commenter preferred the 36-hour time frame since this would be 
consistent with the Federal banking agencies' rule and should not be 
burdensome in light of the limited information being sought.
    Three commenters recommended that the 72-hour reporting period 
begin only once a FICU has actually discovered a reportable cyber 
incident, as the Federal banking agencies require, rather than 
requiring FICUs to come to a reasonable belief that a reportable cyber 
incident has occurred. Another commenter stated that the Board should 
not require reporting until the FICU is aware of helpful details.
    This final rule maintains the reporting period set forth in the 
proposed rule requiring a FICU to notify the NCUA as soon as possible 
but no later than 72 hours after the FICU reasonably believes that a 
reportable cyber incident has occurred. This is the same reporting 
requirement CISA must implement under the Cyber Incident Reporting Act. 
By maintaining the expectation that a FICU does not have a reporting 
obligation until it has a reasonable belief that a reportable cyber 
incident has occurred, the Board is providing flexibility based on 
specific circumstances that may occur. Only once the FICU has formed a 
reasonable belief that it has experienced a reportable cyber incident 
would the requirement to report within 72 hours be triggered. The Board 
does not believe this minimal notification requirement would be 
burdensome to even the smallest institutions. The burden is likely to 
result from the cyber incident itself. Early notification to the agency 
could be beneficial in a number of ways, including helping the FICU 
protect its members and obtaining the agency's guidance with the 
response.

Reporting Process

    With regard to where and how FICUs should report cyber incidents, 
two commenters stated that they would prefer a single point of contact 
in the NCUA's central office and multiple methods of reporting--secure 
online portal, email, and telephone. One commenter expressed a 
preference for reporting to the regional office but recognized that the 
NCUA may prefer all FICUs to report to the central office. This 
commenter suggested that if reporting is done via portal, then FICUs 
should be permitted to go back and edit their reporting. Two commenters 
asked the NCUA to develop a form or checklist that lists the 
information the agency is looking for. One commenter stated that the 
NCUA should provide a clear reporting mechanism via secure email or web 
form. Finally, one commenter expressed support for multiple methods of 
reporting but suggested that the NCUA permit FICUs to report to their 
regional office contacts so as to ensure that the NCUA staff evaluating 
the incident are familiar with the affected FICU's operations.
    The proposed rule states that cyber incidents may be reported via 
email, telephone, or other similar methods that the NCUA may prescribe. 
The Board believes that this approach addresses the need for 
flexibility, including if one or more communication channels are 
impacted by the cyber incident. The NCUA will be providing more 
detailed reporting guidance before the effective date of the final 
rule.
    One commenter asked for clarity on what follow up communications 
the agency expects after a FICU provides the initial notification of a 
reportable cyber incident. The proposed rule stated, ``the NCUA 
anticipates that further follow-up communications between the FICU and 
the agency will occur through the supervisory process, as necessary,'' 
but did not explain what such communications would entail or what the 
expected frequency or level of detail would be.
    The NCUA will determine the necessity and frequency of follow-up 
communications on a case-by-case basis. Factors in making this 
determination may include the severity of impact, the ability to 
recover and restore services, and the potential risk to the financial 
system. These factors may evolve over time. The NCUA is aware that 
during a reportable cyber incident, FICUs will be focused on recovery 
and, thus, the agency will generally limit contact during such 
incidents to minimize burden on FICUs.

Confidentiality

    Five commenters expressed concern for the security of the 
information reported to the NCUA and the potential negative 
consequences to FICUs in the event sensitive information were to leak. 
These commenters stated that it is vital for the NCUA to have a secure 
infrastructure with confidentiality controls and limits on the number 
of agency personnel with access to the reported information. One 
commenter asked the NCUA to clarify that cyber incident reports are not 
only subject to part 792 of the NCUA's rules but are also exempt from 
Freedom of Information Act (FOIA) requests.
    The NCUA receives confidential financial information from FICUs on 
a routine basis as a function of its role as a financial regulator and 
insurer. Like all federal agencies, the NCUA must comply with mandatory 
security standards for federal information and

[[Page 12814]]

information systems.\15\ The NCUA meets these requirements by employing 
a defense-in-depth \16\ approach to information and system security, 
including robust technical and administrative controls and 
comprehensive procedures for preventing and addressing potential 
compromises to information in the NCUA's custody and control.\17\
---------------------------------------------------------------------------

    \15\ Federal Information Security Modernization Act of 2014 
(FISMA), 44 U.S.C. Chapter 35; FIPS Publication 199, Standards for 
Security Categorization of Federal Information and Information 
Systems; FIPS Publication 200, Minimum Security Requirements for 
Federal Information and Information Systems.
    \16\ Defense-in Depth is the application of multiple 
countermeasures in a layered or stepwise manner to achieve security 
objectives. See https://csrc.nist.gov/glossary/term/defense_in_depth.
    \17\ NIST Special Publication 800-53 (Rev. 5), Security and 
Privacy Controls for Federal Information Systems and Organizations.
---------------------------------------------------------------------------

    Reporting under this rule will be subject to part 792 of the NCUA's 
rules and exempt from FOIA requests under FOIA exemptions 4 and 8, and 
potentially exemptions 6 and 7(c).\18\
---------------------------------------------------------------------------

    \18\ 12 CFR part 792; 5 U.S.C. 552(b)(4), (6), (7)(c), and (8).
---------------------------------------------------------------------------

Definition of Reportable Cyber Incident

    Eight commenters suggested the NCUA provide more clarity around 
what the agency considers to be a substantial cyber incident. Of these, 
five commenters stated that the NCUA should focus on the materiality of 
the incident and include a materiality standard to avoid overreporting 
and to provide a sufficient threshold to ensure reporting only of major 
disruptions and not minor ones. One of these commenters stated that the 
definition of reportable cyber incident itself is acceptable and leaves 
room to enable ongoing alignment with other frameworks such as future 
CISA guidance. However, the commenter stated that the definition of 
substantial should include a materiality standard.
    One commenter suggested that substantial could be defined based on 
the percentage of members impacted, duration of impact, or other 
similar metrics which scale with the size of the FICU. Another 
commenter suggested that any factors used to define substantial should 
be principles-based rather than enumerate different types of data, 
systems, or other static elements, which can quickly change as best 
practices and mitigation strategies evolve over time. This commenter 
noted that, however defined, the agency should grant appropriate 
deference to the reasonable judgment of the FICU. Another commenter 
expressed support for the definition of reportable cyber incident but 
stated that rather than just providing a definition of substantial, it 
would be more helpful if the NCUA were to provide examples of 
reportable incidents.
    The Board agrees that a definition that relies on specific data 
points, systems, or other static elements may be unnecessarily 
complicated and may quickly become obsolete. By using the term 
substantial, the Board seeks to convey an expectation that the agency 
will be notified of cyber incidents that are extensive or significant 
to the FICU or its members (or both), rather than minor or 
inconsequential. The dictionary definition of substantial is 
``something that is important, essential, considerable in quantity, or 
significantly great.'' \19\ In lieu of a more complicated definition, 
the agency intends to add to the examples of reportable cyber incidents 
provided in the proposed rule. Commenters who requested that a 
materiality standard be added to the term substantial did not offer any 
definitions or suggest how a material cyber incident would be something 
other than a substantial cyber incident. If a FICU is unsure as to 
whether a cyber incident is reportable, the Board encourages the FICU 
to contact the agency. However, once the rule is implemented the agency 
will continue to assess whether further clarity or guidance is needed 
over time.
---------------------------------------------------------------------------

    \19\ Merriam Webster Dictionary, available at https://www.merriam-webster.com/dictionary/substantial.
---------------------------------------------------------------------------

Examples of Reportable Cyber Incidents

    Three commenters stated that the list of reportable incidents in 
the proposed rule is helpful and should be kept current. One commenter 
stated that the NCUA should provide more examples of nonreportable 
incidents.
    The NCUA will be providing additional reporting guidance and 
examples of reportable incidents and non-reportable incidents prior to 
the effective date of this final rule. In addition, the NCUA is 
retaining the examples provided in the proposed rule with some minor 
edits, as discussed below.
    The agency is clarifying the following example which was cited in 
the proposed rule: ``A systems compromise resulting from card 
skimming,'' is being changed to ``Member information compromised as a 
result of card skimming at a credit union's ATM.'' \20\
---------------------------------------------------------------------------

    \20\ See example 7 at 87 FR 45029, 45032 (July 27, 2022).
---------------------------------------------------------------------------

Third-Party Compromise

    Two commenters noted that contracts with third-party service 
providers may not perfectly align with the reporting proposed in this 
rule. One commenter sought clarification that the NCUA is not intending 
to impact existing contractual relationships. Another commenter stated 
that FICU reporting of third-party breaches should only be required 
once the third-party notifies the FICU that its information has been 
materially compromised. Without receiving information from the third-
party, the FICU has no way to know if it has experienced a cyber 
incident.
    One commenter noted that third-parties only provide notification 
once their investigations are almost complete. Another commenter 
expressed concerns about the ability of FICUs to make decisions about 
third-party breaches when third-parties may be reluctant to offer 
information until they have done their own investigations. Thus, the 
commenter stated that the NCUA should defer to a FICU's judgment about 
whether a reportable cyber incident has occurred. Another commenter 
stated that the NCUA must focus on when the FICU formed a reasonable 
belief and not when a third-party made that determination. Finally, one 
commenter stated that the NCUA should not, as suggested by one example 
in the preamble to the proposed rule, impose a reporting requirement 
when a FICU employee's personally identifiable information (PII) is 
implicated in a data breach at another organization that has no 
affiliation with the FICU.
    This rule does not impact existing contractual relationships. While 
the proposed rule asked FICUs to share how third-parties provide notice 
to FICUs in the event of a cyber incident, there is no requirement in 
the proposed or final rules that FICUs amend existing contracts to 
comply with this rule. The rule requires only that the agency receive 
notice of a reportable cyber incident that impacts a FICU either within 
72 hours of being notified by a third-party or within 72 hours of a 
FICU forming a reasonable belief that it has experienced a reportable 
cyber incident. For example, a FICU reasonably may not be aware that a 
third-party has experienced a breach absent a notification from the 
third-party. However, if a FICU experiences a disruption by losing 
access to its member accounts, it reasonably should be aware that its 
core service provider has been compromised. The rule does not permit 
FICUs to provide notice only after the FICU or the third-party have 
completed all their investigations because the core purpose of the rule 
is for the agency to receive an early notification that an incident has 
occurred. The Board recognizes that a FICU's understanding of an 
incident is

[[Page 12815]]

likely to evolve, and initial reporting can be incomplete or even 
inaccurate due to limited information. However, early notification, 
even if substantively limited, is preferable when compared to delayed 
notification which may have the effect of impeding the agency's 
situational awareness.
    Finally, regarding the example referenced by one commenter, a 
substantial cyber incident that leads to the breach of a FICU 
employee's PII would only be reportable in the event that the third-
party has an affiliation or relationship with the FICU by, for example, 
providing payroll services to the FICU. The example is not intended to 
impose a notification requirement on a FICU for an incident occurring 
at any third-party that, unbeknownst and unrelated to the FICU, holds 
information about individuals who happen to be FICU members or 
employees.

Clarification of Other Sections of Part 748

    With regard to catastrophic act reporting under Sec.  748.1(b), two 
commenters stated that there is insufficient clarity to differentiate 
this new proposed reporting requirement from the existing catastrophic 
act reporting requirement and, thus, the latter should be updated to 
state that it does not include cyber incident reporting. Another 
commenter stated that, in the event of any overlap between the two 
reporting requirements, the agency should permit such reporting to 
receive the longer five-day catastrophic act reporting timeframe.
    The Board does not intend to amend the catastrophic act reporting 
requirement at this time. The Board believes that the two reporting 
requirements are sufficiently distinct. As stated in the proposed rule, 
while natural disasters were the leading concern in the aftermath of 
hurricanes Katrina and Rita, the use of the phrasing ``any disaster, 
natural or otherwise'' in the definition of catastrophic act was meant 
to illustrate other events, such as a power grid failure or physical 
attack, for example, could have a similar impact on access to member 
services and vital records. While some cyber-events may fall within the 
Sec.  748.1(b) definition of catastrophic act, the Board believes they 
are sufficiently distinguishable and distinct to warrant separate 
consideration. The Board further believes that the longstanding 
requirement that FICUs be given five business days to report 
catastrophic acts, as defined in Sec.  748.1(b), is still appropriate. 
However, the agency will continue to monitor the issue after this rule 
goes into effect, in the event clarification is needed.
    With regard to Appendix B guidance, one commenter stated that 
Appendix B should be amended to state that it does not supersede this 
rule. Another commenter stated that the NCUA should remove the Appendix 
B language that refers to reporting to a FICU's regional director 
because most reportable incidents covered by Appendix B will be covered 
by this rule.
    The Board does not intend to amend Appendix B at this time. 
However, Appendix B provides guidance on FICUs' obligations under Sec.  
748.0 and applicable statutes and, thus, does not supersede this 
rule.\21\ If a FICU experiences a reportable cyber incident, that 
incident shall be reported under the requirements of this rule.
---------------------------------------------------------------------------

    \21\ The Board's final rule on the role of supervisory guidance 
provides further discussion on the role and use of guidance in the 
supervisory process. 86 FR 7949 (Feb. 3, 2021).
---------------------------------------------------------------------------

    Finally, another commenter stated that while there is some overlap 
with existing Part 748 reporting requirements, the overlap is minimal, 
and the proposed rule sufficiently clarifies the requirements of each.
    With regard to the definition of vital member services, one 
commenter stated that the definition needs to be updated to reflect 
changes in how vital services are delivered to members. Another 
commenter stated that the NCUA should not require reporting for non-
malicious system outages; for example, incidents that involve a 
substantial loss of availability of a network that disrupts vital 
member services when a FICU undertakes a technology transition or 
system upgrade. In these situations, the commenter stated that 
reporting to the FICU's board of directors should be sufficient.
    The NCUA recognizes that FICUs will have planned updates and 
planned outages that will not require notification. However, a failed 
system upgrade that causes widespread unplanned outages for members 
would be reportable under this final rule.

Coordination With the States and Other Agencies

    Five commenters stated that it is important to coordinate with 
other regulatory agencies to minimize redundancy and inconsistency. One 
of these commenters specifically noted the importance of coordinating 
with state regulators. One commenter encouraged the NCUA to engage with 
the Financial Services Information Sharing and Analysis Center. Another 
commenter noted the importance of coordinating with CISA and the U.S. 
Treasury to ensure harmonization with the Cyber Incident Reporting Act.
    The final rule does not prevent existing supervisory information 
sharing frameworks. The Board agrees that voluntary information sharing 
is important and encourages FICUs to continue sharing information 
through established channels. The agency intends to coordinate with 
CISA, state and federal regulators, and the U.S. Treasury as much as 
possible.

Policy Expectations

    Two commenters noted that it is important for the NCUA to define 
what its policy expectations are, to issue supervisory guidance for 
institutions to review in developing their policies and procedures, and 
to show how examiners will assess reported incidents during the annual 
exam. One commenter stated that it is unclear what follow up action the 
NCUA is expecting and, thus, this represents an unaccounted impact on 
FICUs. This commenter also suggested the NCUA create a safe harbor for 
FICUs that make good faith efforts to perform a reasonable assessment 
of a cyber incident.
    The NCUA will be providing further supervisory guidance prior to 
the effective date of the final rule. However, cyber incidents may 
still be reviewed during an annual examination or as part of a 
supervision contact. This rule does not change the examination and 
supervision process.

Ransomware

    Five commenters mentioned ransomware. Two commenters stated that 
ransomware reporting should be the same as for other cyber incidents. 
One commenter supported a shorter window for ransomware reporting. One 
commenter stated that the NCUA should follow CISA, and one commenter 
said more specifically that the agency should wait until we know how 
CISA will handle ransomware reporting.
    Notification to the agency of ransomware incidents should be the 
same as the reporting required under this rule for other cyber 
incidents. While the Cyber Incident Reporting Act does require entities 
to report ransomware payments within 24-hours, CISA has not yet 
promulgated regulations to that effect and this rule does not create a 
separate reporting framework for ransomware payments. However, the 
Board encourages FICUs to contact law enforcement and CISA, as 
appropriate, in the event of a cyber incident that may be criminal in 
nature.
    Application to federally chartered corporate credit unions and 
federally

[[Page 12816]]

insured, state-chartered corporate credit unions.
    The proposed rule applied to federally chartered and federally 
insured, state-chartered corporate credit unions. Only one commenter 
mentioned this point and stated that they support such application. The 
final rule does not amend this aspect of the proposed rule. Thus, the 
final rule applies to all FICUs including all federally insured 
corporate credit unions.

V. Regulatory Procedures

A. Regulatory Flexibility Act

    The Regulatory Flexibility Act requires the NCUA to prepare an 
analysis to describe any significant economic impact a regulation may 
have on a substantial number of small entities.\22\ For purposes of 
this analysis, the NCUA considers small credit unions to be those 
having under $100 million in assets.\23\ The final rule requires a FICU 
to notify the NCUA upon experiencing a substantial cyber incident. This 
notification requirement is not expected to increase cost burdens on 
FICUs as it requires only that FICUs provide an early notification to 
the agency without requiring any detailed assessments or evaluations. 
Also, while the final rule could lead to cost savings for FICUs if the 
NCUA or other government agencies can help to mitigate the impact of a 
cyber incident, the Board does not expect the final rule to accord a 
significant economic benefit to a substantial number of FICUs. 
Accordingly, the NCUA certifies that the final rule will not have a 
significant economic impact on a substantial number of small credit 
unions.
---------------------------------------------------------------------------

    \22\ 5 U.S.C. 603(a).
    \23\ 80 FR 57512 (Sept. 24, 2015).
---------------------------------------------------------------------------

B. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) 
requires that the Office of Management and Budget (OMB) approve all 
collections of information by a Federal agency from the public before 
they can be implemented. Respondents are not required to respond to any 
collection of information unless it displays a valid OMB control 
number. In accordance with the PRA, the information collection 
requirements included in this final rule have been submitted to OMB for 
approval under control number 3133-0033, Security Program, 12 CFR 748.

C. Executive Order 13132

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their actions on state and local interests. In 
adherence to fundamental federalism principles, the NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the Executive order. This rulemaking will not 
have a substantial direct effect on the states, on the connection 
between the national government and the states, or on the distribution 
of power and responsibilities among the various levels of government. 
Although the final rule applies to federally insured, state-chartered 
credit unions (FISCUs), it imposes only a minimal reporting requirement 
and does not affect the ability of state regulatory agencies to 
regulate, supervise, or examine FISCUs on this subject. Therefore, the 
NCUA has determined that this final rule does not constitute a policy 
that has federalism implications for purposes of the Executive order.

D. Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this final rule will not affect family 
well-being within the meaning of Section 654 of the Treasury and 
General Government Appropriations Act, 1999.\24\
---------------------------------------------------------------------------

    \24\ Public Law 105-277, 112 Stat. 2681 (1998).
---------------------------------------------------------------------------

E. Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 
(SBREFA) generally provides for congressional review of agency 
rules.\25\ A reporting requirement is triggered in instances where the 
NCUA issues a final rule as defined by section 551 of the 
Administrative Procedure Act. An agency rule, in addition to being 
subject to congressional oversight, may also be subject to a delayed 
effective date if the rule is a ``major rule.'' The NCUA does not 
believe this rule is a ``major rule'' within the meaning of the 
relevant sections of SBREFA. As required by SBREFA, the NCUA will 
submit this final rule to OMB for it to determine whether the final 
rule is a ``major rule'' for purposes of SBREFA. The NCUA also will 
file appropriate reports with Congress and the Government 
Accountability Office so this rule may be reviewed.
---------------------------------------------------------------------------

    \25\ 5 U.S.C. 551.
---------------------------------------------------------------------------

    For purposes of the Congressional Review Act, the OMB makes a 
determination as to whether a final rule constitutes a ``major rule.'' 
If a rule is deemed a ``major rule'' by the OMB, the Congressional 
Review Act generally provides that the rule may not take effect until 
at least 60 days following its publication. The Congressional Review 
Act defines a ``major rule'' as any rule that the Administrator of the 
Office of Information and Regulatory Affairs of the OMB finds has 
resulted in or is likely to result in (1) an annual effect on the 
economy of $100 million or more; (2) a major increase in costs or 
prices for consumers, individual industries, Federal, State, or local 
government agencies or geographic regions, or (3) significant adverse 
effects on competition, employment, investment, productivity, 
innovation, or on the ability of U.S.-based enterprises to compete with 
foreign-based enterprises in domestic and export markets.\26\
---------------------------------------------------------------------------

    \26\ 5 U.S.C. 804(2).
---------------------------------------------------------------------------

List of Subjects in 12 CFR Part 748

    Computer technology, Confidential business information, Credit 
unions, internet, Personally identifiable information, Privacy, 
Reporting and recordkeeping requirements, Security measures.

    By the NCUA Board on February 16, 2023.
Melane Conyers-Ausbrooks,
Secretary of the Board.

    For the reasons stated in the preamble, the NCUA Board amends 12 
CFR part 748, as follows:

PART 748--SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC 
ACTS, CYBER INCIDENTS, AND BANK SECRECY ACT COMPLIANCE

0
1. The authority citation for part 748 is revised to read as follows:

    Authority: 12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 
15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.


0
2. Revise the heading for part 748 to read as set forth above.

0
3. Amend Sec.  748.1 as follows:
0
a. Redesignate paragraph (c) as paragraph (d); and
0
b. Add a new paragraph (c).
    The addition reads as follows:


Sec.  748.1  Filing of reports.

* * * * *
    (c) Cyber incident report. Each federally insured credit union must 
notify the appropriate NCUA-designated point of contact of the 
occurrence of a reportable cyber incident via email, telephone, or 
other similar methods that the NCUA may prescribe. The NCUA must 
receive this notification as soon as possible but no later than 72 
hours after a federally insured credit union reasonably believes that 
it has experienced a reportable cyber incident or, if reporting 
pursuant to paragraph

[[Page 12817]]

(c)(1)(i)(C) of this section, within 72 hours of being notified by a 
third-party, whichever is sooner.
    (1) Reportable cyber incident. (i) A reportable cyber incident is 
any substantial cyber incident that leads to one or more of the 
following:
    (A) A substantial loss of confidentiality, integrity, or 
availability of a network or member information system as defined in 
appendix A, section I.B.2. e., of this part that results from the 
unauthorized access to or exposure of sensitive data, disrupts vital 
member services as defined in Sec.  749.1 of this chapter, or has a 
serious impact on the safety and resiliency of operational systems and 
processes.
    (B) A disruption of business operations, vital member services, or 
a member information system resulting from a cyberattack or 
exploitation of vulnerabilities.
    (C) A disruption of business operations or unauthorized access to 
sensitive data facilitated through, or caused by, a compromise of a 
credit union service organization, cloud service provider, or other 
third-party data hosting provider or by a supply chain compromise.
    (ii) A reportable cyber incident does not include any event where 
the cyber incident is performed in good faith by an entity in response 
to a specific request by the owner or operators of the system.
    (2) Definitions. For purposes of this part:
    Compromise means the unauthorized disclosure, modification, 
substitution, or use of sensitive data or the unauthorized modification 
of a security-related system, device, or process in order to gain 
unauthorized access.
    Confidentiality means preserving authorized restrictions on 
information access and disclosure, including means for protecting 
personal privacy and proprietary information.
    Cyber incident means an occurrence that actually or imminently 
jeopardizes, without lawful authority, the integrity, confidentiality, 
or availability of information on an information system, or actually or 
imminently jeopardizes, without lawful authority, an information 
system.
    Cyberattack means an attack, via cyberspace, targeting an 
enterprise's use of cyberspace for the purpose of disrupting, 
disabling, destroying, or maliciously controlling a computing 
environment/infrastructure; or destroying the integrity of the data or 
stealing controlled information.
    Disruption means an unplanned event that causes an information 
system to be inoperable for a length of time.
    Integrity means guarding against improper information modification 
or destruction and includes ensuring information non-repudiation and 
authenticity.
    Sensitive data means any information which by itself, or in 
combination with other information, could be used to cause harm to a 
credit union or credit union member and any information concerning a 
person or their account which is not public information, including any 
non-public personally identifiable information.
* * * * *

0
4. Amend appendix B to part 748 as follows:
0
a. Redesignate footnotes 29 through 42 as footnotes 1 through 14;
0
b. In the introductory text of section I:
0
i. Revise the first sentence; and
0
ii. Remove ``Part 748'' and add ``this part'' in its place; and
0
c. Revise newly redesignated footnotes 1 and 11.
    The revisions read as follows:

Appendix B to Part 748--Guidance on Response Programs for Unauthorized 
Access to Member Information and Member Notice

    I. * * *
    This appendix provides guidance on NCUA's Security Program, 
Suspicious Transactions, Catastrophic Acts, Cyber Incidents, and 
Bank Secrecy Act Compliance regulation,\1\ interprets section 501(b) 
of the Gramm-Leach-Bliley Act (``GLBA''), and describes response 
programs, including member notification procedures, that a federally 
insured credit union should develop and implement to address 
unauthorized access to or use of member information that could 
result in substantial harm or inconvenience to a member. * * *
* * * * *
    \1\This part.
* * * * *
    \11\ A credit union's obligation to file a SAR is set forth in 
Sec.  748.1(d).
* * * * *
[FR Doc. 2023-03682 Filed 2-28-23; 8:45 am]
BILLING CODE 7535-01-P