NCUA Issues Guidance on Cyber Reporting Rule for FICUs

The National Credit Union Administration (NCUA) issued Letter to Credit Unions 23-CU-07 to provide additional guidance on the agency’s “cyber incident notification requirements rule.”

As reported in February, beginning on September 1, 2023, all federally insured credit unions will be required to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a “reportable cyber incident” or received a notification from a third party regarding a reportable cyber incident.

A reportable cyber incident is any “substantial” cyber incident that leads to one or more of the following:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The NCUA guidance summarizes the agency’s rule, provides instructions on what and how to report to the NCUA, includes examples of both reportable (Appendix A) and non-reportable (Appendix B) incidents, and provides a cyber incident reporting quick reference guide to help facilitate incident reporting.

Per the guidance, federally insured credit unions may report a cyber incident through one of the following channels:

• Call the NCUA at 1-833-CYBERCU (1.833.292.3728) and leave a voicemail.
• Use the NCUA Secure Email Message Centerto send a secure email to cybercu@ncua.gov.

Reporting credit unions should be prepared to provide as much of the following information as is known at the time of reporting:

• Credit union name.
• Credit union charter number.
• Name and title of individual reporting the incident.
• Telephone number and email address.
• When the credit union reasonably believed a reportable cyber incident took place.
• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

If NCUA requires additional information or clarification, the agency will follow up with the credit union directly.