NCUA’s Cyber Incident Notification Requirements and Vendor Management

by | Mar 22, 2023

The National Credit Union Administration (NCUA) delivered the Cyber Incident Notification Requirements for Federally Insured Credit Unions final rule on Feb. 16. While your information security and compliance departments are analyzing the final rule to determine what revisions are needed to update policies and procedures, be sure to include the vendor management (VM) department in the conversation. The final rule applies to your VM program, too.

Under the third prong of the final rule, the credit union is required to notify the NCUA within 72 hours after a third party has informed the credit union, or the credit union has formed a reasonable belief that the credit union’s sensitive data or business operations have been compromised or disrupted because of a vendor’s cyber incident. The NCUA made it clear this prong only applies to a third party that has a relationship with the credit union. How confident are you that your vendors will inform you in a timely manner or that the credit union would be able to identify a cyber incident if the vendor fails to notify you? Now is a good time to review your VM program to identify any gaps.

Vendor due diligence is a starting point for complying with the cyber incident notification final rule. The best time to get a solid understanding of the vendor’s controls and business practices is before the credit union ever signs a contract. The credit union’s due diligence should include questions about the vendor’s cyber security program and requests for policies, procedures, reports (such as the SOC report), and other documents that will provide the credit union with a solid understanding of the controls and business practices the vendor has implemented. Taking this due diligence a step further by asking the vendor how cyber security events are triaged and communicated will provide the credit union with information to make risk decisions around final rule compliance and where the credit union itself may need to implement additional mitigation steps.

The vendor contract is another means for ensuring compliance with the cyber incident notification final rule. While the NCUA is not requiring credit unions to amend the contracts with their existing vendors, reviewing contract language will help you identify whether the notification section in new contracts should be strengthened. Additionally, after the credit union has completed the vendor due diligence and understands the vendor’s cyber notification process, your legal counsel can take steps in contract negotiations to mitigate any risks in this area. The NCUA explicitly stated in the final rule that the expectation is for the agency to receive early notification of an event; therefore, the credit union’s vendor contracts should make it clear that the vendor is to provide notification within a prescribed amount of time after the event has been confirmed. To ensure consistency with the NCUA’s final rule, you may want to negotiate the regulator’s definitions of “reportable cyber incident” and “cyber incident” into the vendor contract. The credit union’s legal counsel can advise on the appropriate place to include the definitions and what additional language to include in your vendor contracts.

Finally, ongoing monitoring of credit union vendors is a proactive means for the credit union to identify potential cyber incidents involving a vendor. The definition of a reportable cyber incident includes not only the loss or unauthorized access to sensitive data, but it also addresses a disruption of business operations, vital member services, or a member information system resulting from a cyberattack. Service level agreements (SLAs) stating the vendor’s prescribed performance clarify what might indicate a disruption, and the credit union should strive to include SLAs in the vendor contract. The credit union can then implement processes to monitor against these SLAs so any disruption in service is identified in a reasonable amount of time. Such monitoring should include timely vendor follow-up to identify the specific cause for the disruption.

VM is an essential process for credit unions to effectively oversee its vendor relationships. Implementing a strong VM program that includes proactively conducting vendor due diligence and contract negotiations, and continuously monitoring the vendor performance will help credit unions understand and mitigate any risks associated with outsourcing and protect themselves and their members from potential losses. Contact Rochdale today at sales@reimaginerisk.com to see how our Outsourced VM Services can help.