On February 16, 2023, the NCUA approved the final rule on cyber incident reporting requirements during its second open meeting of 2023. The final rule requires a federally insured credit union (FICU) to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred.

In July of 2022, the NCUA issued a proposed rulemaking on cyber incident notification requirements that would require a FICU to notify the NCUA of any cyber incident that rises to the level of a reportable as soon as possible but no later than 72 hours after a FICU reasonably believes that a reportable cyber incident has occurred. After carefully considering the comments received, the Board has adopted the final rule largely as proposed to give the NCUA early notice of substantial cyber incidents that have consequences for FICUs as stated in the rule.

Under the final rule, the definition of a reportable cyber incident has three prongs, namely:

(1) It will require a FICU to notify the NCUA of a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes;
(2) It will require reporting to the NCUA in the event of a cyberattack that leads to a disruption of business operations, vital member services, or a member information system; and
(3) It will require a FICU to notify the agency within 72 hours after a third-party has informed a FICU that the FICU’s sensitive data or business operations have been compromised or disrupted as a result of a cyber incident experienced by the third-party or upon the FICU forming a reasonable belief this has occurred, whichever occurs sooner.

The final rule on cyber incident notification requirements will be effective on September 1, 2023, and the NCUA said that it will provide additional reporting guidance prior to the final rule going into effect.

Read the NCUA’s press release here.

The final rule can be found here.

Adam Witmer

Adam Witmer is a speaker, author, and founder of the Compliance Cohort. Adam has taught hundreds of seminars and training sessions to thousands of bankers throughout the United States and teaches on all areas of regulatory compliance. Adam has written five e-books that he never published, hit a grizzly bear while driving in a National Park, and is an award winning photographer and musician (though he no longer takes photos nor plays any instruments). In his spare time, Adam can be found kayaking on the lake, doing taekwondo with his kids, working on his (project) house, or spending time with his family.

Website

Become a Free Member