Compliance With the NCUA Cyber Incident Notification Requirement: Vendor Contract Considerations

Experiencing a cyber incident within your credit union can be stressful, whether it originates from your own system or a third-party vendor. Regardless of who is responsible, or when it occurred, the National Credit Union Administration (NCUA) now expects your credit union to report the incident within 72 hours after it was discovered. The details of this rule are laid out in 23-CU-07, which went into effect on September 1, 2023.

To follow the NCUA’s recommendations for credit unions to comply with the new regulation, credit unions should look at their vendor contracts. Here’s an overview of determining a reportable incident and maintaining compliance through your vendor contracts.

Reportable Cyber Incidents to the NCUA and the CIA Triad

Before you start implementing this rule into your vendor contracts, it’s important to understand what the NCUA considers a reportable cyber incident. For example, a phishing attack that successfully installed malware or the discovery of zero-day malware is substantial enough to be reported, but a phishing email that was filtered out of your inbox or the successful removal of malware by antivirus software wouldn’t generally be considered a reportable cyber incident.

When thinking about cybersecurity incidents that occur internally or with your third-party vendors, it helps to be familiar with the concepts of the CIA triad – confidentiality, integrity, and availability. The NCUA expects that a credit union will report an incident if one of these concepts is jeopardized in an information system.

Here are two foundational questions you can ask to help determine if an incident is reportable:

1. Did the incident cause a significant loss of the confidentiality, integrity, or availability of our network or information system?
2. Did the incident disrupt our business operations or our member services?

If you answer “yes” to either of these questions, this may indicate that the incident is worth reporting.  

Vendor Contract Considerations to Implement NCUA 23-CU-07

Contract Consideration 1: Incident Notification Requirement

Once you’ve defined a reportable incident, you can begin implementing relevant language into your vendor contracts. An incident notification requirement can help keep your credit union compliant with the NCUA regulation while also ensuring that you have the information you need to notify your members.

As you negotiate or renegotiate your vendor contracts, consider details such as:

• Definition of an incident – Make sure your contract is clear on what’s considered a cyber incident. The NCUA’s guidance is a good starting point. However, you may still want to collaborate with your legal team and other qualified subject matter experts (SMEs), like information security, for additional clarification.   
• Timing of notification – Since the NCUA gives you a deadline of 72 hours to report an incident once it’s discovered, you’ll want to factor this into your own vendor contract language. You may want to suggest a similar timeframe of 24-72 hours with your vendor to ensure you are in compliance with the NCUA’s data breach notification requirement. 
• Investigation and remediation – Your contract should require that the vendor provides a basic description of the incident, such as the functions that were responsible and whether any sensitive information was compromised. This will help in your own reporting requirements to the NCUA. And although remediation details aren’t required by the NCUA, it’s important to be aware of how your vendor is handling the incident. 
• Prevention – After an incident is discovered, your vendor should also provide documented actions that state how they will prevent future breaches. Depending on the incident, this might include additional training or more frequent vulnerability and penetration testing.
• Penalties – Your credit union should also decide on penalties for the vendor after an incident. This might involve financial penalties or suspending or terminating the contract.

Contract Consideration 2: Right to Audit Clause

The NCUA regulation is primarily focused on identifying and reporting cyber incidents, with the intention of improving a credit union’s response capabilities, but it’s also important to proactively mitigate risks that can lead to these cyber incidents. One mitigation tactic is to include a right to audit clause in your vendor contract, which obligates the vendor to provide certain information whenever you ask.

Consider the following questions as you draft the clause:

• Which documents will we need to request from the vendor? Be specific about the documentation, such as the vendor’s policies and procedures, business continuity testing, and third-party audit results. 
• How quickly should the vendor provide those documents? Timelines are important to ensure that you’re reviewing the most current information available. For example, you might state that the vendor should provide a certain policy within 10 days after you request it. 
• What is the penalty if the vendor doesn’t provide documentation on time? The clause should also state any penalties for not supplying documentation on time, whether that’s contract termination or suspension.

Implementing the NCUA reporting requirement may take some effort, but it should ultimately strengthen your cybersecurity program. With some careful planning and vendor contract considerations, you’ll be prepared to prevent and address cyber incidents that put your credit union and members at risk.