NEWS: Today, the NCUA Board unanimously approved a final rule that requires a federally insured credit union to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred.
Last September, The League submitted a comment letter in support of the proposed rule. We urged the NCUA to stick with a 72-hour reporting deadline. “We believe that this reporting window – as required under the Cyber Incident Reporting Act – is more reasonable and realistic than the 36-hour reporting window recently adopted by federal banking regulators,” we wrote.
Under the final rule, federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack.
The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe.
The effective date of this final rule is September 1, 2023.
The NCUA will provide additional reporting guidance prior to the final rule going into effect, and The League will provide additional information as we learn more about the new rule.