US Credit Unions to Come Under Cyber Incident Reporting Rule

It's not hard to believe that the financial services industry is a high value target for cyber threat actors. Firms in this sector are 300 times more likely to be targeted by a cyberattack and over 50% of these companies are at heightened risk of becoming a victim of ransomware.

On July 21, 2022, the National Credit Union Administration Board held its seventh open meeting of 2022 and unanimously approved a notice of proposed rulemaking on cyber incident notification requirements. The proposed rule would require federally charted credit unions to report within 72 hours any incident that leads to the "substantial loss" of confidentiality, integrity or availability of member information.

“NCUA Board approval for issuing the proposed rule before us today is a critical step to increasing cybersecurity awareness and protection within the financial system,” Chairman Todd M. Harper said.

Under the proposed rule, a federally insured credit union would be required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. With credit unions being NCUA’s "eyes and ears," they are hoping that by credit unions reporting these cyber incidents early, they can contribute to keeping the nation secure from similar cyberattacks elsewhere.

Ransomware in the financial sector

Bitsight recently analyzed hundreds of ransomware incidents over the last three years — including those impacting the Financial sector — to identify common security performance gaps and challenges that lead to successful ransomware incidents. Based on our analysis, we find that certain security program practices may be critical to reduce the likelihood of experiencing a ransomware incident. We also identify which vulnerabilities are closely tied with ransomware campaigns.

Are ransomware incidents actually increasing, or are they just becoming more public? Data suggests that ransomware attacks have indeed increased dramatically over the last year. Law enforcement officials state that while there have been hundreds of publicized ransomware incidents, just as many have taken place behind closed doors. Insurers report that ransomware-related incidents are on the rise; insurance broker Aon finds that ransomware attacks have increased 486% over the past two years, resulting in significant financial losses for organizations globally. According to a recent Cambridge University study, ransomware insurance claims represented more than half of cyber insurance claim losses in 2020.

Increased likelihood of ransomware based on overall security performance

Overall, the data shows that organizations with weaker overall security performance are more likely to experience a ransomware incident. Bitsight continuously and non-intrusively assesses organizational cybersecurity performance by evaluating externally observable security performance issues across 23 different categories, including compromised and exposed systems, critical vulnerabilities, patching rates, software security, and other key issues. Bitsight processes more than 250 billion security measurements on a daily basis to provide an objective security rating (using a 250-900 scale), following a similar approach followed by credit rating agencies, based on its observations that is independently verified to be correlated with breach risk.

Bitsight applied its data to the Financial sector to understand how Financial companies are performing and their risk of ransomware. Overall, nearly 46% of Financial sector organizations have a 750+ rating, making them less likely to experience a ransomware attack. This means that 54% of the Financial sector is at heightened risk of ransomware. 

To help credit unions and other financial institutions, Bitsight created a guide on how best to prepare for and prevent ransomware attacks.