NCUA proposal gives credit unions no more than 72 hours to report cyber incidents

A proposal setting a roughly three-day limit on the time frame for federally insured credit unions (FICUs) to report certain cyber incidents to their federal regulator was issued for comment Thursday with a 60-day comment period attached.

The proposed rule by the National Credit Union Administration (NCUA), issued amid rising frequency and severity of cyberattacks on the financial services sector, directs credit unions to report such “reportable” incidents as soon as possible “and no later than 72 hours after the federally insured credit union reasonably believes that it has experienced a reportable cyber incident,” the agency’s notice of proposed rule states. “This notification requirement provides an early alert to the NCUA and does not require credit unions to provide a detailed incident assessment to the NCUA within the 72-hour time frame.”

A cyber incident is defined by the proposed rule as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system. A “reportable” cyber incident, it states, would be defined as leading to one or more of the following:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Excluded from the proposed definition is “any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operator of the information system,” the notice states.

“The proposed definition of reportable cyber incident is intended to capture the reporting of substantial cyber incidents,” according to the proposed rule notice. “What a FICU would consider to be substantial will likely depend on a variety of factors, including the size of the FICU, the type and impact of the loss, and its duration, for example.”

The NCUA said it expects a FICU to exercise reasonable judgment in determining whether it has experienced a substantial cyber incident that would be reportable to the agency. “Under this proposal, if a FICU is unsure as to whether a cyber incident is reportable, the [NCUA]Board encourages the FICU to contact the agency.”

Comments on the proposal are due 60 days after its publication in the Federal Register.

NCUA proposed rule notice for Federal Register