NCUA provides clarity on cyber incident reporting requirements

In a new Letter to Credit Unions sent Monday, the NCUA summarized its amendments to part 748 – which take effect Sept. 1 – requiring all federally-insured credit unions to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident.

The letter offers additional commentary surrounding the definitional components of a substantial cyber incident and provides specific information about how to report an incident to the NCUA.

The NCUA instructs credit unions to either call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail or use the NCUA Secure Email Message Center to send a secure email to cybercu@ncua.gov.

In addition, the letter describes what content should be included in the cyber incident report and highlights that sensitive personally identifiable information, indicators of compromise, specific vulnerabilities, or email attachments should not be sent to the NCUA.

View the Letter to Credit Unions. NAFCU will continue to advocate for harmonization of incident response requirements as the Cybersecurity and Infrastructure Security Agency (CISA) makes progress towards implementing its own set of rules under the Cyber Incident Reporting for Critical Infrastructure Act.