The Importance of Cybersecurity Incident Responsiveness: Is Your Plan Ready to Be Tested?
November 27, 2023
As more and more credit union members conduct their banking online, it’s important to address security concerns before they turn into problems. Financial institutions handle sensitive consumer data every single day. Members trust their credit unions to protect their data and take proper precautions to safeguard it. This is one of the most important duties of a credit union and the subject of intense regulation.
The National Credit Union Administration (NCUA) has revised their Cyber Incident Notification Requirements, 12 CFR 748.1(c), to provide more information on responsibilities, framework and guidance on cyber incidents, which they define as an event that has “a significant probability of compromising business operations and/or threatening data security.”
Cyber incidents not only put members’ sensitive information at risk, but also place strain on a credit union’s technology resources. On top of those consequences, credit unions may be faced with financial losses, damaged reputations and legal repercussions.
Key Elements for a Successful Cyber Incident Response Program
Every credit union should have a well-defined and documented cyber incident response policy and plan to help react to and recover from incidents faster and more effectively. The basic components of a well-defined program, as outlined by the NCUA, are:
- Detection and reporting
- Classification and prioritization
- Notification and escalation
- Lessons learned
With all the data that credit unions have, they are attractive targets for cyber incidents.
A successful plan can help organizations prevent, prepare, test and train for cyber incidents. These elements require cooperation between teams, so in addition to putting smart IT solutions in place, it’s important to educate staff about their duties.
Credit unions can protect staff and members by implementing procedures to prevent cyber incidents. This can be as simple as installing antivirus protection on staff computers, blocking ads and unsafe websites, performing regular vulnerability scans and applying secure configurations to all systems.
In addition, credit unions should work to ensure staff are properly trained on what to look for and how to react. When everyone understands their role in protecting the organization, it adds an extra layer of security to a cyber incident response plan.
Training & Testing
Hand in hand with prevention, credit unions should implement regular cyber security training and testing. When a team can identify and detect incidents faster, the IT team can jump in more quickly. Leaders can work with their credit union’s IT team to create a training program that is informative and engaging, including response workshops, tabletop exercises, or other activities.
Reporting on a Cyber Incident
Federally insured credit unions are required to notify the NCUA of cyber incidents. They should report these incidents as soon as they are aware, but the formal rule requires that:
- When a credit union experiences a reportable cyber incident, they must report the incident no later than 72 hours after they believe it has occurred, or
- When a credit union receives notification from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident, they have 72 hours from the notification or belief of a cyber incident.
Consult the NCUA’s guidance on cyber security incidents for specifics on the reporting process – what to include, how to report and what to expect.
With the constant evolution of cyber security threats, credit unions should continuously monitor updates from the NCUA and other regulatory bodies to ensure their cyber incident response policies and plans are in alignment and up-to-date.
Need a second set of eyes or help getting started? ViClarity’s compliance consulting team can assist with cybersecurity incident response policy development or review existing plans to ensure compliance with NCUA requirements and best practices.