Another arm of the federal government is moving to require organizations under their regulatory purview to notify and report when they are hacked.
The National Credit Union Administration, a small federal agency created in 1970 to supervise federal credit unions, will propose a new regulation this week that would compel federal insured credit unions to report “substantial” cyber incidents to the government within 72 hours. Such notification would function as an “early alert” to the government and would not require detailed incident assessments within that timeframe, according to a notice set to publish in tomorrow’s Federal Register.
The agency notes that cyberattacks targeting the financial sector have become more common in recent years and some, like ransomware, can severely affect backups and data recovery operations.
“Given the frequency and severity of cyber incidents within the financial services industry, the Board believes it is important that the National Credit Union Administration be notified of cyber incidents that disrupt a federally insured credit union’s operations, lead to unauthorized access to sensitive data, or disrupt members’ access to accounts or services,” the agency wrote.
The regulation would encourage (but not require) credit unions to contact law enforcement.
A reportable cyber incident is defined in the rule as any substantial cyber incident that results in the loss of confidentiality, integrity or availability of a network or member information system due to unauthorized access, has a serious impact on the safety or resiliency of operational systems and processes, exploits vulnerabilities to disrupt business operations, steal data or compromise a credit union service, either through its internal IT networks or through third parties like cloud computing providers.
NCUA said including third parties is especially important because many credit unions tend to rely on a small ecosystem of technology vendors. For example, just five vendors are responsible for approximately 87% of total credit union system assets.
“Significant problems or a failure with a critical vendor or CUSO has the potential to result in disruption, including losses, to many credit unions and, in turn, pose risk to the National Credit Union Share Insurance Fund (NCUSIF) and national economic security given the amount and type of data held and processed, as well as the number of Americans who use credit unions for financial services.”
The small agency with a budget of $381 million becomes the latest federal body to implement mandatory rules for reporting hacks and other digitally enabled compromises to the federal government. The Cybersecurity and Infrastructure Security Agency, Securities and Exchange Commission, Transportation Security Administration and others have all moved to put similar rules in place for critical infrastructure or publicly traded companies as the federal government seeks to better understand the scope and impact of these threats across American society. Key to that goal is regular reporting from companies, utilities and other regulated organizations when they are victim to a ransomware attack or other compromise.
“We really have an insufficient operational visibility into our critical systems,” said Michael Dransfield, a senior technical executive for control systems cybersecurity at the NSA earlier this month while talking about federal awareness of cyber threats affecting the energy sector and other industries at an event hosted by Nozomi Networks. "The White House is taking some steps … but in general we’re still lacking in visibility into these critical control systems within our critical infrastructure.”