As of September 1, 2023, federally insured credit unions (FICUs) must comply with the new Cyber Incident Notification Rule recently issued by the NCUA Board. This rule mandates that federally insured credit unions report a qualified cyber incident to the NCUA no later than 72 hours after the incident is detected.
A cyber incident that is substantial is classified as below:
It is worth noting that failed attempts to breach systems or unsuccessful malware attacks are not reportable under this rule. For example, a DDoS attack that disrupts member account access would be reportable under this prong. It is the credit union’s responsibility to amend its contracts with vendors to include provisions for reportability and accountability.
So, what does this mean for your FICU?
You will need to ensure that you are working to amend your contracts to include language of reportability and accountability to your vendors!
The NCUA is expected to provide more information and examples of reportable incidents before September 1, 2023. It is essential for credit unions to familiarize themselves with the new rule and take necessary measures to comply with it to ensure a secure and stable cyber environment for their members.