The National Credit Union Administration (NCUA) issued Letter to Credit Unions 23-CU-07 to provide additional guidance on the agency’s “cyber incident notification requirements rule.”
As reported in February, beginning on September 1, 2023, all federally insured credit unions will be required to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a “reportable cyber incident” or received a notification from a third party regarding a reportable cyber incident.
A reportable cyber incident is any “substantial” cyber incident that leads to one or more of the following:
The NCUA guidance summarizes the agency’s rule, provides instructions on what and how to report to the NCUA, includes examples of both reportable (Appendix A) and non-reportable (Appendix B) incidents, and provides a cyber incident reporting quick reference guide to help facilitate incident reporting.
Per the guidance, federally insured credit unions may report a cyber incident through one of the following channels:
Reporting credit unions should be prepared to provide as much of the following information as is known at the time of reporting:
If NCUA requires additional information or clarification, the agency will follow up with the credit union directly.
2855 East Guasti Rd., Suite 202
Ontario, CA 91761
909.212.6000
1201 K. St., Suite 1050
Sacramento, CA 95814-3992
916.325.1360
c/o Great Basin FCU
9770 South Virginia Street
Reno, NV 89511-5941
202.638.5777 www.cuna.org
www.dfpi.ca.gov
Clothilde “Cloey” V. Hewlett — 415.263.8500
fid.state.nv.us
702.486.4120 (Las Vegas)
775.684.2970 (Carson City)