On July 21, 2022, the NCUA announced during its seventh open meeting of 2022 that it is issuing a notice of proposed rulemaking on cyber incident notification requirements. The proposed rule would require a federally insured credit union (FICU) to notify the NCUA as soon as possible but no later than 72 hours after they reasonably believe that a reportable cyber incident has occurred.

NCUA Chairman of the Board Todd M. Harper said in a statement:

“NCUA Board approval for issuing the proposed rule before us today is a critical step to increasing cybersecurity awareness and protection within the financial system. Federally insured credit unions are not only the system’s first line of defense, but they are also the NCUA’s eyes and ears. When credit unions report these types of incidents, they may very well be helping to keep our nation secure from similar cyberattacks elsewhere.”

Under the proposed rule, reportable incidents will include incidents that lead to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a detailed incident assessment within the 72-hour time frame.

The agency will be accepting comments on the proposed rule within 60 days following publication in the Federal Register.

Read the NCUA’s press release here.

The proposed rule can be found here.