With threats ranging from unintentional human error to cyberattacks, members’ sensitive information is constantly at risk. Because of this, it is important that credit unions understand their reporting requirements when an information security incident occurs.
So, how do you determine whether to notify the NCUA regional director of an incident like this? First, we’ll take a look at the regulatory context for notifying NCUA when sensitive member information is improperly accessed or used, and then we’ll discuss the practical application of the notification provision.
Regulatory Context for Notification
The Gramm-Leach-Bliley Act requires the NCUA Board to establish appropriate standards for federally insured credit unions relating to administrative, technical and physical safeguards for member records and information. Accordingly, Part 748 of NCUA’s Rules and Regulations (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) requires that federally insured credit unions establish a security program that—among other things—addresses the safeguards required by Gramm-Leach-Bliley and a credit union’s response to an incident of unauthorized access to or use of member information that could result in substantial harm or inconvenience to the member.
Appendix B to Part 748 of NCUA’s Rules and Regulations also states that a credit union’s response program should contain procedures for notifying the appropriate NCUA regional director. A federally insured, state-chartered credit union should also have procedures to notifiy their state supervisory authority as well. Notification should occur as soon as possible after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information.
Specifically, the preamble of the Federal Register notice for Part 748, Appendix B, states:
The NCUA Board has concluded that the standard for notification to regulators should provide an early warning to allow [the] NCUA or applicable state supervisory agency to assess the effectiveness of a credit union’s response plan, and, where appropriate, to direct that notice be given to members if the credit union has not already done so.
Please note: “member information” is defined in Appendix A to Part 748 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and “sensitive member information” is defined in Appendix B to Part 748 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .
NCUA Legal Opinion 06-0332 (opens new window), issued after the implementation of Appendix B, clarified that “where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA.” As a result, your credit union’s risk assessment of the incident is a critical component of your response program, and a material factor in your decision to notify the regional director.
The Practical Application of the Notification Provision
Next, we’ll take a closer look at the practical application of the notification provision and your risk assessment.
Your credit union’s response program should describe your procedures surrounding notifications of members and regulators, among others. In determining whether the regional director notification is warranted, you should assess the nature and scope of the incident and the likelihood of harm to the member or members affected, based on the information available. In other words, you should determine the risk to the member or members involved.
For example, after determining the inherent risk, if applicable, consider any immediate corrective actions that you took to reduce the risk to the member. If, at the time of your risk assessment, the incident involves sensitive member information and presents the potential for harm (more than little- or no-likelihood of harm) to the member, you should notify the NCUA regional director. Federally insured, state-chartered credit unions should notify their state supervisory authority as well.
If your risk assessment supports a decision not to notify the NCUA regional director, maintaining documentation of your analysis is helpful in NCUA’s evaluation of your compliance with Part 748’s reporting expectations.
As a best practice, the content of your notification to the NCUA regional director should describe:
- The incident;
- The risk to the member or members;
- The corrective actions taken already;
- Any additional corrective or mitigating actions planned;
- Your coordination with law enforcement; and
- Any other relevant factors.
State supervisory authorities may have their own requirements for these types of notifications, so it is important that state-chartered credit unions know and understand the reporting requirements of their respective states.
Some credit unions may also opt to notify the NCUA regional director of other information security-related events in an effort to maintain open communications and transparency. NCUA will accept any notifications provided and encourages communication on any material concerns.
Finally, you may need to notify other parties, such as your insurance or bond company, of information security incidents. Your notification to your respective NCUA regional director does not take the place of filing a suspicious activity report, notifying the FBI, involving local law enforcement or reporting the incident to your state supervisory authority.
For more information, you can visit our Cybersecurity Resources webpage, which contains additional resources on regulatory requirements, best practices and other information security-related matters.