What CUs Need to Know About the New Cyber Incident Reporting Requirements

The NCUA’s final rule goes into effect on Sept. 1.

By Matthew G. White and Alexander F. Koskey |

Image: Shutterstock

The NCUA has approved new cyber incident reporting requirements for credit unions. Under the final rule, federally insured credit unions will be required to notify the NCUA of a “reportable cyber incident” within 72 hours of such an event. The NCUA’s final rule follows the 36-hour notification requirement implemented for banking organizations last year. While the final rule doubles the reporting time for credit unions, it also could require credit unions to notify the NCUA of a significantly broader set of incidents than required for banking organizations. The final rule continues the trend of regulators increasing their focus on the cybersecurity safeguards among financial institutions and, in particular, of requiring faster notifications when incidents occur.

The final rule will go into effect on Sept. 1, 2023. Here, we’ll provide a primer about the rule and proactive steps credit unions should be taking in anticipation of these new reporting requirements.

What Is a Reportable Cyber Incident?

The rule requires credit unions to notify the NCUA no later than 72 hours after it reasonably believes a reportable cyber incident has occurred. A reportable cyber incident is defined as any substantial cyber incident that leads to:

• A substantial loss of confidentiality, integrity or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes;
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; and/or
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a CUSO, cloud service provider, managed service provider, or other third-party data hosting provider or a supply chain compromise.

Examples of Reportable Incidents

The NCUA’s final rule contained some examples of what may constitute a reportable cyber incident, including, without limitation:

• If a member information system has been unlawfully modified and/or sensitive data has been left exposed to an unauthorized person, process or device;
• A failed system upgrade or change that results in unplanned widespread user outages for credit union members and employees; or
• A distributed denial of service (DDoS) attack that disrupts member account access.

The rule does state that incidents such as unsuccessful malware attacks or failed attempts to gain access to systems do not have to be reported. In addition, third-party incidents that are unknown to a credit union and hold information about individuals who happen to be credit union members or employees do not impose a notification requirement.

How Should Incidents Be Reported?

According to the final rule, incidents may be reported to the NCUA “via email, telephone or other similar methods that the NCUA may prescribe.” The reporting methods are designed to give credit unions flexibility based upon the impact of a potential cyber incident. The NCUA has also stressed that an initial report does not have to include a full assessment of the incident.

Next Steps for Credit Unions

The NCUA will be providing additional guidance, including examples of reportable and non-reportable incidents, before the final rule becomes effective in September. In the meantime, credit unions should be reviewing and updating their incident response plans and vendor management programs to ensure that they are prepared to comply with these enhanced requirements.