Cyber Incident Notification Requirements for Federally Insured Credit Unions

Effective Sept. 1, 2023, credit unions will need to comply with the new amendments to Part 748 of the NCUA Regulations to report cyber incidents as soon as possible, but not later than 72 hours after the possible cyber incident is believed to have occurred.

What is a Reportable Cyber Incident under the new rules? Any substantial cyber incident that leads to one or more of the following:

1. A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
2. Disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
3. Disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

A reportable cyber incident does not include an event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.

In the commentary to the final rule, the NCUA indicated that they will be providing additional guidance and examples of reportable incidents and non-reportable incidents prior to the effective date of the final rule.

Credit unions should also be aware that Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requiring entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) not later than 72 hours after the entity reasonably believes that a covered cyber incident has occurred. CISA has until 2025 to publish a final rule implementing the requirements and defining terms. While the NCUA’s final rule is intended to serve as an early alert to the NCUA and not intended to include a lengthy assessment of the incident, we can expect the rules to evolve as the NCUA coordinates and works with CISA on future credit union cyber incident reporting in their efforts to avoid duplication.

Credit unions should be on the lookout for corresponding updates to the Security Channel on InfoSight and related Information Security/Incident Response policies within CU PolicyPro.