A final rule on what makes a “reportable cyber incident,” and a proposed regulation that governs who can (and cannot) join a credit union were issued Thursday by the board of the federal credit union regulator.
The final rule on the cyber incidents requires a federally insured credit union to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred, the National Credit Union Administration (NCUA) said in a release.
The agency said the final rule requires federally insured credit unions to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system because of the exposure of sensitive data, disruption of vital member services. The reportable incident may also have a serious impact on the safety and resiliency of operational systems and processes, the agency said.
Additionally, under the final rule, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack, the agency said.
“The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe,” NCUA said.
The effective date of this final rule is Sept. 1; the agency said it would provide additional reporting guidance prior to the final rule going into effect.
The proposal on credit union membership requirements (characterized by the agency as changes to its chartering and field of membership manual) makes nine changes that, NCUA said, “enhance consumer access to safe, fair and affordable financial services, especially in under-resourced communities.”
More specifically, the agency said the proposed changes would:
- Make four changes to the rules for underserved areas that multiple common-bond federal credit unions (FCUs) may seek to add to their fields of membership. The changes streamline existing application requirements and clarify the role of data and criteria that other federal agencies provide relating to underserved areas.
- Eliminate the business and marketing plan requirement for certain federally insured, state-chartered credit unions that seek to convert to a federal charter while serving the same community field of membership.
- Expand the community-based field-of-membership affinities — relationships between a person and the geographic community — to recognize the growth of telecommuting and remote work for companies headquartered in a community.
The proposal also, NCUA said, includes a provision to allow all FCUs to better capture the ongoing bond between individuals within a field of membership and their immediate family members following the death of a member.
A technical clarification and correction is also proposed on the process for the agency to review and approve the character and fitness of a prospective FCU’s management and officials, NCUA said.
NCUA Board Approves Final Rule on Cyber Incident Reporting Requirements