Comments due Sept. 26 on NCUA cyber incident notification proposal

July 28, 2022 NCUA 0

Comments on a proposed rule that would set a 72-hour limit on the time frame for federally insured credit unions (FICUs) to report certain cyber incidents to the National Credit Union Administration (NCUA) are due to the agency Sept. 26, according to a notice in Thursday’s Federal Register.

The proposal, issued during the NCUA Board’s July 21 open meeting, directs credit unions to report such “reportable” incidents as soon as possible “and no later than 72 hours after the federally insured credit union reasonably believes that it has experienced a reportable cyber incident.” This is an early alert, not a detailed incident assessment, the agency noted.

The proposal defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually or imminently jeopardizes, without lawful authority, an information system. It defines a “reportable” cyber incident as leading to one or more of the following:

A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Excluded from the proposed definition is “any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operator of the information system,” the notice states.

Reg lookup: Cyber Incident Notification Requirements for Federally Insured Credit Unions

Comments due June 18 on FDIC bank merger policy statement

April 22, 2024 0

Public comments on the federal bank deposit insuring agency’s proposed statement of policy on bank merger transactions are due June 18, according to a notice in Friday’s Federal Register. The proposed statement, issued March 21 by the Federal Deposit Insurance [...]
Nagging inflation pressures, leading to tight money, cited as biggest risk ahead for financial stability

April 22, 2024 0

Persistent inflationary pressures leading to a more restrictive than expected monetary policy stance is the most frequently cited risk to financial stability by researchers, academics and market participants, according to a report issued late Friday by the Federal Reserve. Other [...]

Related