NCUA letter: Tighter cyber incident reporting requirements kick in Sept. 1

Credit unions face tighter notification requirements regarding cyber incidents beginning Sept. 1 under rule changes adopted in February, their federal regulator said in a letter Monday.

In Letter to Credit Unions 23-CU-07, the National Credit Union Administration (NCUA) summarized amendments to the agency’s cyber incident reporting rule and provided instructions on what and how they should report such incidents to the agency.

Generally, the rule revisions require that a federally insured credit union notify the NCUA as soon as possible, and no later than 72 hours, after it reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

Briefly, the letter, signed by agency Board Chairman Todd Harper, says the rule defines a reportable cyber incident as any substantial cyber incident that leads to one or more of the following outcomes:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The agency notes that a reportable cyber incident does not include an activity performed “in good faith” by an entity in response to a specific request by the owner or operators of the system. “Contracting a third party to conduct a penetration test is an example of an incident that would be excluded from reporting,” the agency wrote.

The letter provides additional details on the 72-hour reporting deadline, what to report, and other steps that credit unions should be taking – among them, updating response plans, reviewing contracts with service providers, and training staff – to prepare for the Sept. 1 effective date of the rule changes.

NCUA Letter 23-CU-07