Comments due Sept. 26 on NCUA cyber incident notification proposal

Comments on a proposed rule that would set a 72-hour limit on the time frame for federally insured credit unions (FICUs) to report certain cyber incidents to the National Credit Union Administration (NCUA) are due to the agency Sept. 26, according to a notice in Thursday’s Federal Register.

The proposal, issued during the NCUA Board’s July 21 open meeting, directs credit unions to report such “reportable” incidents as soon as possible “and no later than 72 hours after the federally insured credit union reasonably believes that it has experienced a reportable cyber incident.” This is an early alert, not a detailed incident assessment, the agency noted.

The proposal defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually or imminently jeopardizes, without lawful authority, an information system. It defines a “reportable” cyber incident as leading to one or more of the following:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Excluded from the proposed definition is “any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operator of the information system,” the notice states.

Reg lookup: Cyber Incident Notification Requirements for Federally Insured Credit Unions