NCUA Issues Guidance on Cyber Reporting Rule for FICUs

The National Credit Union Administration (NCUA) issued Letter to Credit Unions 23-CU-07 to provide additional guidance on the agency’s “cyber incident notification requirements rule.”

As reported in February, beginning on September 1, 2023, all federally insured credit unions will be required to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a “reportable cyber incident” or received a notification from a third party regarding a reportable cyber incident.

A reportable cyber incident is any “substantial” cyber incident that leads to one or more of the following:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The NCUA guidance summarizes the agency’s rule, provides instructions on what and how to report to the NCUA, includes examples of both reportable (Appendix A) and non-reportable (Appendix B) incidents, and provides a cyber incident reporting quick reference guide to help facilitate incident reporting.

Per the guidance, federally insured credit unions may report a cyber incident through one of the following channels:

• Call the NCUA at 1-833-CYBERCU (1.833.292.3728) and leave a voicemail.
• Use the NCUA Secure Email Message Centerto send a secure email to cybercu@ncua.gov.

Reporting credit unions should be prepared to provide as much of the following information as is known at the time of reporting:

• Credit union name.
• Credit union charter number.
• Name and title of individual reporting the incident.
• Telephone number and email address.
• When the credit union reasonably believed a reportable cyber incident took place.
• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

If NCUA requires additional information or clarification, the agency will follow up with the credit union directly.

‘Compliance Hotline’
Your California and Nevada Credit Union Leagues-member benefits also include the Compliance Hotline — providing exclusive access to dedicated compliance experts! Contact the hotline anytime to gain access to a knowledgeable team that’s ready to address all your credit union’s compliance inquiries — promptly and efficiently:

• 844-731-6072
• CANV@viclarityus.com

With the Compliance Hotline, you can proactively respond to impromptu questions and issues by receiving clarity and insight on technical topics that normally slow you down. We want to help you unlock the full potential of your League membership by leveraging the resources and support you need to navigate the complex world of compliance effortlessly. We’re ALWAYS just a phone call or email away!

Additional League-Member Compliance Resources
More compliance resources and benefits of League membership include:

• ViClarity
• CU PolicyPro
• ComplySight
• InfoSight
• CU Store
• Record Retention Guide
• GRC Technology Solutions

For more information or questions, email Leagues Vice President of Regulatory Advocacy and Compliance Lisa Quaranta.

Powered by ViClarity, a California and Nevada Credit Union Leagues company.